Cryptography

Lecture Notes
Cryptography &
Advanced Methods of
Cryptography
Prof. Dr. Rudolf Mathar
Rheinisch-Westf alische Technische Hochschule Aachen
Lehrstuhl f ur Theoretische Informationstechnik
Sommerfeldstrae 24
52074 Aachen
Version from January 7, 2013
Contents
1. Introduction 7
1.1. Fundamental Knowledge for Cryptographers . . . . . . . . . . . . . . . . . . 7
2. Classical Cryptography 9
2.1. The Scytale ( ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Substitution Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1. Caesar Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.2. Ane Cipher in Z
m
. . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3. Permutation Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4. Vigenère Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.5. Hill Cipher (1929) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.6. Formal Denition of a Cryptosystem and Types of Attacks . . . . . . . . . 13
2.6.1. Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3. Cryptanalysis of Classical Systems 15
3.1. Frequency Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2. The Friedmann Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3. Estimating the Keylength of a Vigenère Cipher . . . . . . . . . . . . . . . . 17
3.4. Attacks Against Vigenère Cipher with Running Key . . . . . . . . . . . . . 19
4. Entropy and Perfect Secrecy 21
4.1. Foundations of Information Theory . . . . . . . . . . . . . . . . . . . . . . . 21
4.1.1. Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.1.2. Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2. Perfect Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.2.1. Perfect Secrecy of the Vernam Cipher . . . . . . . . . . . . . . . . . 29
5. Fast Block Ciphers 31
5.1. The Data Encryption Standard (DES) . . . . . . . . . . . . . . . . . . . . . 31
5.1.1. Description of DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.2. The Advanced Encryption Standard (AES) . . . . . . . . . . . . . . . . . . 37
5.2.1. Encryption Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2.2. Key Expansion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.2.3. Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5.2.4. Design Considerations and Security . . . . . . . . . . . . . . . . . . 40
5.3. Other Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3
4 Contents
5.4. Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.4.1. Electronic Codebook Mode (ECB) . . . . . . . . . . . . . . . . . . . 41
5.4.2. Cipher-Block Chaining Mode (CBC) . . . . . . . . . . . . . . . . . . 41
5.4.3. Output Feedback Mode (OFB) . . . . . . . . . . . . . . . . . . . . . 42
5.4.4. Cipher Feedback Mode (CFB) . . . . . . . . . . . . . . . . . . . . . 42
5.4.5. Counter Mode (CTR) . . . . . . . . . . . . . . . . . . . . . . . . . . 42
6. Number-Theoretic Reference Problems 43
6.1. Primality Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.1.1. Fermat Primality Test (FPT) . . . . . . . . . . . . . . . . . . . . . . 44
6.1.2. Miller-Rabin Primality Test (MRPT) . . . . . . . . . . . . . . . . . 45
6.1.3. Deterministic Primality Testing . . . . . . . . . . . . . . . . . . . . . 47
6.1.4. Finding Large Prime Numbers . . . . . . . . . . . . . . . . . . . . . 47
6.2. The Integer Factorization Problem . . . . . . . . . . . . . . . . . . . . . . . 47
6.3. The Extended Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . . . 48
6.4. The Chinese Remainder Theorem . . . . . . . . . . . . . . . . . . . . . . . . 51
7. The Discrete Logarithm 53
7.1. Die-Hellman Key Distribution and Key Agreement . . . . . . . . . . . . . 54
7.1.1. Intruder-in-the-Middle Attack on the DH-System . . . . . . . . . . . 55
7.2. Shamirs No-Key Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
8. Public-Key Cryptography 57
8.1. The RSA-Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8.1.1. Security of RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
8.1.2. Implementation of RSA . . . . . . . . . . . . . . . . . . . . . . . . . 60
8.1.3. The RSA Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . 60
8.2. The ElGamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
8.3. Generalized ElGamal Encryption . . . . . . . . . . . . . . . . . . . . . . . . 61
8.4. Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
8.4.1. The PGP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
9. Public Key Cryptography (ctd.) 65
9.1. A Side-Channel Attack Against RSA . . . . . . . . . . . . . . . . . . . . . . 65
9.2. The Rabin Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
9.3. Flipping Coins over the Telephone . . . . . . . . . . . . . . . . . . . . . . . 68
9.4. Probabilistic Public-Key Encryption . . . . . . . . . . . . . . . . . . . . . . 69
9.4.1. The Goldwasser-Micali Cryptosystem . . . . . . . . . . . . . . . . . 71
9.4.2. The Blum-Goldwasser Cryptosystem . . . . . . . . . . . . . . . . . . 73
10. Cryptographic Hash Functions 77
10.1. Security of Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
10.2. Construction of Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . 80
10.2.1. Description of SHA-1 . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Contents 5
10.3. Message Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
10.3.1. A General Construction Principle for MACs . . . . . . . . . . . . . . 83
11. Signature Schemes 85
11.1. The ElGamal Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 85
11.1.1. Security of the ElGamal Signature Scheme . . . . . . . . . . . . . . 86
11.2. The Digital Signature Algorithm (DSA) . . . . . . . . . . . . . . . . . . . . 87
12. Identication and Entity Authentication 91
12.1. Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
12.1.1. Fixed Password Schemes . . . . . . . . . . . . . . . . . . . . . . . . . 91
12.1.2. One-Time Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
12.1.3. Lamports Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
12.2. Challenge-Response Identication (C-R-Ident.) . . . . . . . . . . . . . . . . 92
12.2.1. Challenge-Response Identication by Symmetric-Key Encryption . . 93
12.2.2. Challenge-Response by Public-Key Techniques . . . . . . . . . . . . 93
12.2.3. Challenge-Response Based on Digital Signatures . . . . . . . . . . . 93
12.3. Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
12.4. Zero Knowledge Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
12.4.1. Feige-Fiat-Shamir Identication Protocol . . . . . . . . . . . . . . . 96
12.4.2. Schnorr Identication Protocol . . . . . . . . . . . . . . . . . . . . . 97
12.5. Threshold Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
13. Elliptic Curves 101
13.1. Foundations and Denitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
13.2. The Group Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
13.2.1. Group Order #E(F
q
) . . . . . . . . . . . . . . . . . . . . . . . . . . 103
13.3. The DLP on Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
13.3.1. Algorithms for Solving DLP/ECDLP . . . . . . . . . . . . . . . . . . 105
13.3.2. Cryptographically Secure Elliptic Curves . . . . . . . . . . . . . . . 107
13.3.3. Comparison DLP vs. ECDLP . . . . . . . . . . . . . . . . . . . . . . 107
13.4. Cryptographic Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
13.4.1. Die-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . . . 107
13.4.2. ElGamal on Elliptic Curves (ECElGamal) . . . . . . . . . . . . . . . 108
13.4.3. The Elliptic Curve Integrated Encryption Scheme (ECIES) . . . . . 108
14. Quantum Cryptography 111
14.1. A Quantum Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
14.2. Quantum Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
A. Mathematical Background 115
A.1. Basics from Algebra and Number Theory . . . . . . . . . . . . . . . . . . . 115
A.1.1. Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
A.1.2. Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
A.1.3. Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
A.2. Modular Arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Bibliography 121
1. Introduction
Cryptography is the study of mathematical techniques related to aspects

of information security such as condentiality, data integrity, entity authenti-
cation, and data origin authentication (Handbook of Applied Cryptography)
As indicated by this denition from [MvOV96] the objects of cryptography mainly include:
Concealing data and messages from eavesdroppers, making them available only to
entitled users/receivers,
Authentication (of users and messages),
Anonymity,
Protocols (transmission and key management).
Before 1975 cryptographic methods and protocols have been developed mostly in military
research. During those days most computers were mainframes and computer networks just
began to develop (The ARPANET, predecessor of the Internet, started with four nodes in
1969).
From the late 1970s distributed computers with increasing connectivity and communi-
cation lead to a growing public and private interest in methods to protect privacy and
condentiality. One of the most important contributions in making cryptography an ev-
eryday technique was the paper New Directions in Cryptography by Whiteld Die and
Martin Hellman from 1976 [DH76]. It introduced the principles of public-key cryptography
and thus set the foundations for todays applications like electronic banking, e-commerce,
electronic cash, automatic debiting, computer access controls and secure communication
over public networks.
1.1. Fundamental Knowledge for Cryptographers
This section introduces notations used throughout the lecture and provides some informa-
tion on cryptographic research societies.
In the description of cryptographic protocols we use common names for the participants
of the communication. Alice and Bob are the leading actors in every communication, if a
third actor is needed, we will usually choose a name beginning with C, like Cherie.
The opponent of Alice and Bob, who tries to break into the communication will be called
Oskar. Sometimes Eve (derived from eavesdropping) will be used.
The largest employer for mathematicians in the world is the American secret service NSA
(National Security Agency, http://www.nsa.gov), which was founded in 1952.
7
8 CHAPTER 1. INTRODUCTION
The International Association for Cryptologic Research (IACR, http://www.iacr.org) was
founded in 1983. It is a scientic institution with three conferences per year (CRYPTO
in the USA, EUROCRYPT in Europe and ASIACRYPT in Asia).
One of the most important institutions for cryptography in Germany is the BSI (Bunde-
samt f ur Sicherheit in der Informationstechnik, http://www.bsi.de) in Bonn.
2. Classical Cryptography
The roots of cryptography reach back to the ancient greeks. Many other examples of
early cryptosystems have been handed down. This chapter describes some of the most
famous systems, like the one used by Caesar during the Gallic Wars or the cipher devel-
oped by Blaise de Vigenère in the 16th century. A detailed description of the history of
cryptography can be found in [Sin99].
2.1. The Scytale ( )
The Scytale is a cryptosystem used by the Spartans around 400 BC. It consists of a wand
(the scytale) with a certain diameter and a stripe of parchment. To encrypt a message,
the blank strip of parchment is wrapped around the wand. Then the letters are written
columnwise on the parchment. Unwrapping the strip of parchment leaves a meaningless
message. Decryption is done using a wand of the same diameter. The key in this system
is just the diameter of the wand.
Figure 2.1.: The Scytale an ancient cryptosystem used by the Spartans 400 BC
2.2. Substitution Cipher
The substitution cipher substitues every letter of the plaintext alphabet by another letter.
The key of this system is normally given by a permutation of the alphabet. A formal
denition of the system looks like this:
9
10 CHAPTER 2. CLASSICAL CRYPTOGRAPHY
Alphabet:
= x
1
, . . . , x
m
Key selection: The key is a permutation S

m
of 1, . . . , m.
Encryption: Substitute letter x
i
by x
(i)
in the plaintext.
Decryption: Substitute of letter x
j
by x
1
(j)
in the cipertext.
2.2.1. Caesar Cipher
A special case of the substitution cipher is the so called Caesar cipher. Here the per-
mutation is restricted to a cyclic shift of the alphabet. The cipher was rst used by
Caesar (100-44 BC) during the Gallic Wars. A machine-assisted version of this cipher was
constructed by Leon Battista Alberti in the 15th century.
The Latin alphabet a, b, . . . , z is mapped to the set 0, 1, . . . , 25 = Z
26
. We then apply
arithmetic modulo 26 (
normal arithmetic, but remainder when dividing by 26) on this

set. The system can be described in the following way:
Alphabet: = Z
26
= 0, . . . , 25
Key selection: Select a key k Z
26
.
Encryption:
e((m
1
. . . m
n
)) = c = (c
1
. . . c
n
) with c
i
= (m
i
+k) mod 26
Decryption:
d((c
1
. . . c
n
)) = m = (m
1
. . . m
n
) with m
i
= (c
i
k) mod 26
2.2.2. Ane Cipher in Z
m
Another cipher that belongs to the class of substitution ciphers is the ane cipher, where
not only addition, but also multiplication modulo n is used to encrypt each letter of the
plaintext. Here we have to take care that the encryption operation is invertible.
Alphabet: = Z
m
= 0, . . . , m1
Key selection: Select a key
k = (a, b) Z
m
Z
m
with
Z
m
:= a Z
m
[ a
1
Z
m
: a a
1
1 mod m.
Encryption: e(m) = c = (c
1
. . . c
n
) with c
i
= (am
i
+b) mod m
Decryption: d(c) = m = (m
1
. . . m
n
) with m
i
= (a
1
(c
i
b)) mod m
2.3. PERMUTATION CIPHER 11
The requirement that a is multiplicatively invertible mod m is needed for the injectivity
of the encryption function e. If one would take for example a = 4, b = 0 and m = 26, then
e(2) = 8 and e(15) = 60 mod 26 = 8 would give the same result and thus the ciphertext
could not be uniquely deciphered.
We investigate the question in which cases the encryption function e is invertible. It holds
that
ai +b aj +b (mod m)
a(i j) 0 (mod m)
m [ a(i j).
Hence, if gcd(a, m) = 1, i.e., a and m are relatively prime, then
m [ a(i j) m [ (i j), i.e., i j (mod m).
In summary, e is invertible if and only if gcd(a, m) = 1. It will be shown, that this last con-
dition is equivalent to the existence of an inverse a
1
satisfying aa
1
a
1
a 1(mod m).
2.3. Permutation Cipher
The permutation cipher rst groups the plaintext into blocks of k letters. Then each of
the blocks is rearranged by applying some permutation S
k
of 1, . . . , k. Deciphering
just means applying the inverse permutation
1
to each of the blocks.
Plaintext: m = (m
1
. . . m
n
) = (m
1
. . . m
k
[ m
k+1
. . . m
2k
[ m
2k+1
. . . m
n
)
Key selection: The key is a permutation S
k
of the set 1, . . . , k.
Encryption:
e(m) = (m
(1)
, . . . , m
(k)
[ m
k+(1)
, . . . , m
k+(k)
[ m
2k+(1)
, . . . m
nk+(k)
)
Decryption:
d(c) = (c
1
(1)
, . . . , c
1
(k)
[ c
k+
1
(1)
, . . . , c
k+
1
(k)
[ c
2k+
1
(1)
, . . . c
nk+
1
(k)
)
Example 2.1. With the permutation
=
_
1 2 3
3 2 1
_
=
_
3 2 1
_
=
_
1 3
_ _
2
_
,
the plaintext CRYPTOGRAPHY is encrypted as follows:
CRY [ PTO [ GRA [ PHY YRC [ OTP [ ARG [ YHP.
2.4. Vigenère Cipher
The Vigenère cipher goes back to an idea of Alberti but is named after Blaise de Vigenère
(1523-1596), who enhanced this idea to a usable system. The idea is to add a repeated
keyword to the plaintext letter by letter:
Alphabet: = Z
26
= 0, . . . , 25
Key selection: The key is a word s of length k: s = (s
0
, . . . , s
k1
)
k
Encryption: Encryption means componentwise addition mod 26:
e((m
1
. . . m
n
)) = c = (c
1
. . . c
n
) with c
i
= (m
i
+s
(i1 mod k)
) mod 26
Decryption: Decryption means componentwise subtraction mod 26:
d((c
1
. . . c
n
)) = m = (m
1
. . . m
n
) with m
i
= (c
i
s
(i1 mod k)
) mod 26
Example 2.2. The Encryption of the plaintext CRYPTOLOGY with the keyword BOARD looks
like this:
C R Y P T O L O G Y
B O A R D B O A R D
D F Y G W P . . .
2 17 24 15 19 14
1 14 0 17 3 1
3 5 24 6 22 15
Extension by Vernam (1917)
The Vernam cipher is mainly the same as the system used by Vigenère. As an additional
requirement for each plaintext a randomly generated keyword of the same length is used
(one-time pad). The disadvantage of this system is, that a key of the same length as the
plaintext itself has to be transmitted over a secure channel in advance. Hence, this system
is not suitable for applications, where many users are involved.
Remark 2.3. Substitution ciphers are monoalphabetic, i.e., each character is always mapped
to a unique cipher character. Vigenère and Vernam ciphers are polyalphabetic, i.e., the
same character may be mapped onto dierent cipher characters.
2.5. Hill Cipher (1929)
The Hill cipher rst divides the text into blocks of xed length k. Then each of the blocks is
encrypted by multiplication with a regular kk matrix. A suitable alphabet for this cryp-
tosystem (having prime cardinality) would be for example the set = A, B, . . . , Z, , , ., .
with [[ = 29 or the set = 0, . . . , 9, ., A, . . . , Z with [[ = 37. A formal denition of
the system looks like this:
Alphabet: = Z
p
= 0, . . . , p 1 with p prime
2.6. FORMAL DEFINITION OF A CRYPTOSYSTEM AND TYPES OF ATTACKS13
Plaintext: m = (m
1
, . . . , m
n
) = (m
1
, . . . , m
k
, m
k+1
, . . . , m
2k
, m
2k+1
, . . . m
n
) with k [ n
(if k does not divide n use padding)
Key selection: The key is a matrix U Z
kk
p
with det(U) ,= 0
Encryption: e(m) = c = (c
1
, . . . , c
n
) = (c
1
, . . . , c
k
, c
k+1
, . . . , c
2k
, c
2k+1
, . . . , c
n
) with
(c
ik+1
, c
ik+2
, . . . , c
(i+1)k
)
= U(m
ik+1
, m
ik+2
, . . . , m
(i+1)k
)
for i = 0, . . . , n/k 1
Decryption: d(c) = m = (m
1
, . . . , m
n
) = (m
1
, . . . , m
k
, m
k+1
, . . . , m
2k
, m
2k+1
, . . . , m
n
)
with
(m
ik+1
, m
ik+2
, . . . m
(i+1)k
)
= U
1
(c
ik+1
, c
ik+2
, . . . , c
(i+1)k
)
for i = 0, . . . , n/k 1
Remark 2.4. Observe that, if p is prime, Z
p
is a eld and for each matrix U Z
kk
p
satisfying det(U) ,= 0 there exists an inverse U
1
.
The cipher can be extended to any ring Z
n
, but it has to be assured that the key-matrix
U is invertible.
Example 2.5. With k = 2, p = 37 and the regular matrix U =
_
3 13
22 15
_
we get the
following encryption of the word GOOD which corresponds to (17, 25, 25, 14):
(6, 9, 35, 20) =
_
_
U
_
17
25
__
,
_
U
_
25
14
__
_
.
Remark 2.6. Permutation ciphers are a special case of Hill ciphers. We get them if U is a
permutation matrix (exactly one 1 in each row and column, otherwise 0s).
Example 2.7. The permutation matrix with the key =
_
3 2 1
_
corresponds to the
Hill cipher with the key U =
_
_
0 0 1
0 1 0
1 0 0
_
_
.
2.6. Formal Denition of a Cryptosystem and Types of Attacks
This section collects the joint characteristics of the cryptosystems described above which
then leads to the formal denition of a cryptosystem.
Input- and output-alphabets: The input-alphabet will be called A = x
1
, . . . , x
m
, the
output alphabet } = y
1
, . . . , y
d
.
Plaintexts and ciphertexts: Plain- and ciphertexts are words of nite length l N
0
over
the alphabets A and } respectively. The set of possible plaintext messages can be
described as
/
_
l=0
A
l
,
and the set of possible ciphertexts is denoted as
(
_
l=0
}
l
.
An element m / is called message or plaintext, an element c ( is called
ciphertext or cryptogram.
Keys: The nite set of possible keys / is called keyspace, an element k / is called a key.
Encryption: Encryption is described by a function (encryption rule):
e : // ( : (m, k) c.
Decryption: Decryption is also described by a function, the so called (decryption rule):
d : ( / / : (c, k) m.
Denition 2.8. A cryptosystem is a ve-tuple (/, /, (, e, d) with /, /, ( as above and
e, d functions with
e : // (, d : ( / /,
such that d(e(m, k), k) = m for all (m, k) (//).
2.6.1. Cryptanalysis
This section describes the principle ideas behind possible attacks against a cryptosystem.
We always assume, that the opponent Oskar has complete knowledge of how the system
works, the only thing he doesnt know is the key. This assumption is based on
Kerckhos
principle, which says that the security of a cryptosystem shall not be based on the premise
that the system itself is unknown to an opponent (cf. [Ker83]).
We distinguish the following dierent levels of attacks to obtain the key, dependend on
the amount of information available to an attacker:
Ciphertext-only attack: Oskar possesses nothing but a string of ciphertext.
Known-plaintext attack: Oskar possesses a string of ciphertext and the corresponding
plaintext.
Chosen-plaintext attack: Oskar has access to the encryption machinery. He can choose
a plaintext and generate the corresponding ciphertext.
Chosen-ciphertext attack: Oskar has access to the decryption machinery. He can choose
some ciphertext and construct the corresponding plaintext.
Resistance against ciphertext-only and known-plaintext attacks is a minimal requirement
for a cryptosystem. The chosen-ciphertext and chosen-plaintext attacks are the hardest
to withstand. All of the cryptosystems described above except the Vernam cipher fail in
any of these tests.
3. Cryptanalysis of Classical Systems
Classical Cryptosystems such as those described in chapter 2 are susceptible to attacks
which use characteristic properties of natural languages. This chapter describes statistical
methods used in the cryptanalysis of classical systems.
3.1. Frequency Analysis
A cipher is called monoalphabetic over an input-alphabet A if the encryption function e
maps each occurrence of the letter x
i
A to the same letter y
j
}. If a cipher is not
monoalphabetic over an input-alphabet A it is called polyalphabetic over A.
The substitution cipher (cf. Section 2.2) is monoalphabetic over the input-alphabet A.
The Vigenère cipher is polyalphabetic over A, but monoalphabetic over A
k
.
If a cipher is monoalphabetic over an alphabet of a natural language, frequency analysis
can be used to attack the system. In a frequency analysis the frequencies of characters,
digrams and trigrams are determined and identied with characters, bigrams and trigrams
of the according natural language. Using this method one usually gets already half of the
text by identifying the six most frequent characters, because in the English language the
six most frequent characters E, T, A, O, I, N combine 51.75% of all frequencies.
3.2. The Friedmann Test
The Friedmann test (Colonel Friedmann, 1891 - 1969) is a method to determine whether
a given cryptogram was encrypted using a cipher that is monoalphabetic over an alphabet
of a natural language. We make use of the following model:
Alphabet: A = 1, . . . , m
Cryptogram: Let C = (C
1
, . . . , C
n
) be a cryptogram of length n modeled by random
variables C
1
, . . . , C
n
stochastically independent, identically distributed (i.i.d.) with
P(C
i
= l) = q
l
for l A and i = 1, . . . , n.
Denition 3.1. The random variable
I
C
= I(C
1
, . . . , C
n
) =
[(i, j) [ C
i
= C
j
, 1 i < j n[
_
n
2
_
is called index of coincidence.
15
16 CHAPTER 3. CRYPTANALYSIS OF CLASSICAL SYSTEMS
Remark 3.2. Obviously it holds that
I
C
= 1 C
1
= = C
n
,
I
C
= 0 all C
i
are dierent.
Now let N
l
= [i [ C
i
= l[ for l A be the number of components equal to l. It holds
that
I
C
=
1
n(n 1)
m
l=1
N
l
(N
l
1).
With the strong law of large numbers we nd
q
l
= lim
n
N
l
n
almost everywhere (a.e.), for all l = 1, . . . , m.
Hence we see that the index of coincidence converges almost everywhere:
I
C
=
m
l=1
N
l
n
..
q
l
N
l
1
n 1
. .
q
l
l=1
q
2
l
=:
C
for (n ), a.e.
There is another way of describing I
C
as a random variable. In order to do so let
Y
ij
=
_
1, if C
i
= C
j
,
0, otherwise.
We rewrite I
C
in terms of the newly dened random variables Y
ij
in the following way:
I
C
=
1
_
n
2
_
1i<jn
Y
ij
. (3.1)
This representation helps us to prove the following lemma.
Lemma 3.3.
E(I
C
) =
m
l=1
q
2
l
=
Proof. With equation 3.1 we get for all i < j:
E(Y
ij
) = 1 P(Y
ij
= 1) + 0 P(Y
ij
= 0) = P(C
i
= C
j
) =
m
l=1
P(C
i
= l, C
j
= l)
=
m
l=1
P(C
i
= l)
. .
q
l
P(C
j
= l)
. .
q
l
=
m
l=1
q
2
l
= .
3.3. ESTIMATING THE KEYLENGTH OF A VIGEN
`
ERE CIPHER 17
In summary I
C
is an unbiased, strongly consistent estimator for =
m
l=1
q
2
l
, i.e.,
E(I
C
) = and I
C
(n ) almost everywhere.
Applying the Cauchy-Schwarz-Inequality yields a lower bound for :
_
m
l=1
q
l
_
2
m
m
l=1
q
2
l
, hence
m
l=1
q
2
l

1
m
with equality if and only if q
l
=
1
m
for all l = 1, . . . , m.
For a uniform distribution, i.e., q
l
=
1
26
we get
U
=
26
l=1
1
26
2
= 0.0385.
For a text in english language we get
E
= 0.066895.
Application In order to determine whether a given ciphertext c has been constructed
with a cipher that is monoalphabetic over the alphabet A, . . . , Z, we compute I
c
. Then
we decide that the cipher is monoalphabetic over A, . . . , Z if I
c

L
for a natural
language L. If I
c
0.0385 we conclude that the cipher is polyalphabetic.
3.3. Estimating the Keylength of a Vigenère Cipher
The Vigenère cipher is obviously not monoalphabetic over A, . . . , Z but can still be
broken with low eort. The rst step in such an attack is to estimate the length of the
keyword using the so called
Kasiski-Babbage-method. The idea of this method is that

the length of the keyword k is probably a divisor of the distance of equal sequences in the
cryptogram. The following simple example illustrates this idea:
Example 3.4. The text
To be or not to be encrypted with the Vigenère cipher with

key HAM leads to:
T O B E O R N O T T O B E
H A M H A M H A M H A M H
A O N L O D U O F A O N L
In order to estimate the keylength we use the following stochastical model:
Alphabet: A = 0, . . . , m1
Plaintext: M = (M
1
, . . . , M
k
, . . . , M
n
) with M
1
, . . . , M
n
i.i.d. P(M
i
= l) = p
l
, l
A, k [ n.
Keyword: K = (K
0
, . . . , K
k1
) with K
0
, . . . , K
k1
i.i.d. on / = A, P(K
i
= l) =
1
m
.
Ciphertext: C = (C
1
, . . . , C
k
, . . . , C
n
) with C
i
= (M
i
+K
(i1)mod k
) mod m.
Let i j, if i j (mod k) and
Y
ij
=
_
1, if C
i
= C
j
,
0, otherwise.
.
18 CHAPTER 3. CRYPTANALYSIS OF CLASSICAL SYSTEMS
In order to determine E(Y
ij
), we distinguish two cases:
i j : E(Y
ij
) = 1 P(C
i
= C
j
) = P(M
i
= M
j
) =
m1
l=0
p
2
l
=
M
.
i , j :
E(Y
ij
) = P(C
i
= C
j
)
= P(M
i
+K
i
M
j
+K
j
(mod m))
=
u,vX
P(M
i
+u M
j
+v(mod m)) P(K
i
= u, K
j
= v)
. .
=
1
m
2
=
1
m
2
l
P(M
i
= l +v u(mod m), M
j
= l)
=
1
m
2
l
p
l
v
P(M
i
= l +v u(mod m))
. .
=1
=
1
m
2
m
l
p
l
. .
=1
=
1
m
.
Now that we have computed the expected values of all random variables Y
ij
we may
proceed and compute the expectation value of I
C
Lemma 3.5. Under the above assumptions, if k [ n we get that
E(I
C
) =
1
k(n 1)
_
(n k)
M
+n(k 1)
1
m
_
. (3.2)
Proof.
E(I
C
) =
1
_
n
2
_
1i<jn
E(Y
ij
) =
1
_
n
2
_
_
i<j,ij
E(Y
ij
. .
=
M
) +
i<j,ij
E(Y
ij
)
. .
=
1
m
_
_
=
2
n(n 1)
_
_
1
2
n(
n
k
1)
. .
number of terms in the 1st sum
M
+
1
2
n(n
n
k
)
. .
number of terms in the 2nd sum
1
m
_
_
.
This concludes the proof, since the last term equals the result.
We are interested in determining the block length k. If we solve equation 3.2 for k we get
k =
n(
M

1
m
)
(n 1)E(I
C
) +
M

n
m
.
Note that if E(I
C
) =
M
it follows k = 1.
3.4. ATTACKS AGAINST VIGEN
`
ERE CIPHER WITH RUNNING KEY 19
Application: Given a cryptogram c = (c
1
. . . c
n
) we may estimate E(I
c
) by
1
n(n 1)
m1
l=0
n
l
(n
l
1).
Hence
0.028433n
(n 1)I
c
0.0385n + 0.066895
is an estimator for the key string length k.
If k is known, we can write c in a matrix:
c =
_
_
_
_
_
c
1
c
2
. . . c
k
c
k+1
c
k+2
. . . c
2k
.
.
.
.
.
.
c
sk+1
c
n
_
_
_
_
_
.
The columns of this matrix are encrypted monoalphabetically so we can apply frequency
analysis to the columns.
3.4. Attacks Against Vigenère Cipher with Running Key
To avoid periodicity with the block length as in the previous section one can use a key
which has the same length as the plaintext. We then say that we are using a running key.
But still a frequency attack is possible when the key comes from a natural language.
The idea (Friedmann) here is to consider characters obtained from the addition of the most
frequent characters (e,t,a,o,i,n,s in the English language). Let M
i
, i = 1, . . . , n, denote
random variables modeling the occurence of plaintext characters in a message of length
n. Similarly let K
i
, i = 1, . . . , n, denote random variables modeling the occurence of key
characters in the running key. We then have
P(M
i
E, T, A, O, I, N, S) 0.57 P(K
i
E, T, A, O, I, N, S),
since both the message and the key come from a natural language (here: english). Thus
the probability that a message character and the corresponding key character both are
one of the most frequent characters is
P(M
i
, K
i
E, T, A, O, I, N, S) 0, 57
2
= 0, 3249.
In order to ward o this attack the key should be chosen randomly, i.e., one should use
random key streams. But even then a key should never be used twice. Otherwise the
dierence of both message texts can be recovered:
We let M
1
= (m
1
, . . . , m
l
) which gives the cryptogram C = ((m
i
+ k
i
) mod m)
i=1,...,l
as
well as M
2
= (n
1
, . . . , n
l
) giving D = ((n
i
+k
i
) mod m)
i=1,...,l
. The attacker is now able
to compute
(c
i
d
i
mod m) = ((m
i
+k
i
) (n
i
+k
i
)) mod m = (m
i
n
i
) mod m.
Since the messages M
1
and M
2
are taken from natural language the attacker may apply
the above attack using character frequencies.
4. Entropy and Perfect Secrecy
4.1. Foundations of Information Theory
4.1.1. Entropy
In this section we aim at a measure of uncertainty about the outcome of a random exper-
iment (before the experiment takes place) or at the information gained by the outcome
(after the experiment has taken place). We now give a formal denition of this aim:
Let X be a discrete random variable with nite support x
1
, . . . , x
m
with distribution
P(X = x
i
) = p
i
, i = 1, . . . , m.
Denition 4.1. Let X be a discrete random variable with nite support, c > 1 an
arbitrary constant. Then
I
X
(x
j
) = log
c
P(X = x
j
) = log
c
p
j
is called information content of the event X = x
j
.
H(X) =
m
j=1
P(X = x
j
) log
c
P(X = x
j
) =
m
j=1
p
j
log
c
p
j
is called entropy of X.
Remark. H is the average of all information contents X = x
j
.
We will use the following conventions:
We dene log 0 = and 0 log 0 = 0.
In the following we will omit the constant c.
An analogous denition of the entropy exists for multidimensional random variables, we
will now consider the case of a two-dimensional random variable (X, Y ) with support
A }, A = x
1
, . . . , x
m
, } = y
1
, . . . , y
d
, and distribution P(X = x
i
, Y = y
j
) = p
ij
:
Denition 4.2. Let (X, Y ) be dened as above. Then we dene
a)
H(X, Y ) =
i,j
p
ij
log p
ij
=
i,j
P(X = x
i
, Y = y
j
) log P(X = x
i
, Y = y
j
),
the joint entropy of X and Y .
21
22 CHAPTER 4. ENTROPY AND PERFECT SECRECY
b)
H(X[Y ) =
d
j=1
P(Y = y
j
)
m
i=1
P(X = x
i
[Y = y
j
) log P(X = x
i
[Y = y
j
)
=
i,j
P(X = x
i
, Y = y
j
) log P(X = x
i
[Y = y
j
),
the conditional entropy (or equivocation) of X and Y , an average entropy with
respect to all conditional distributions.
Some properties of the entropy are described in the following theorem:
Theorem 4.3. Let X, Y be dened as above.
a) 0
(i)
H(X)
(ii)
log m
with equality in (i) i there exists x
i
A : P(X = x
i
) = 1 (singleton distribution)
and equality in (ii) i P(X = x
i
) =
1
m
for all i = 1, . . . , m (uniform distribution).
b) 0
(i)
H(X[Y )
(ii)
H(X)
with equality in (i) i P(X = x
i
[Y = y
j
) = 1 for all i, j with P(X = x
i
, Y = y
j
) > 0
and equality in (ii) i X and Y are stochastically independent.
c) H(X, Y ) H(X) +H(Y )
with equality if and only if X and Y are stochastically independent.
d) H(X, Y ) = H(X) +H(Y [X) = H(Y ) +H(X[Y ) (chainrule).
Proof. Cf. [Sti95], pages 56 .
4.1.2. Coding
This section rst gives a concise denition of codings and then outlines some basic prop-
erties and results from information theory. To do so rst consider the following setting:
Source alphabet A = x
1
, . . . , x
m
(e.g., A,. . .,Z),
Code alphabet } = y
1
, . . . , y
d
(e.g., 0,1).
We encode letters from the alphabet A using words over the alphabet } using an injective
function
g : A
_
l=1
}
l
, x
j
g(x
j
) = (w
j1
, . . . , w
jn
j
).
g(x
j
) is called codeword of x
j
, n
j
its length and g is called encoding.
If codewords are concatenated, they still must be uniquely identiable, this property is
described by the following denition:
4.1. FOUNDATIONS OF INFORMATION THEORY 23
Denition 4.4. An encoding g is called uniquely decodable (decipherable) if the map
G :
_
l=1
A
l
_
l=1
}
l
, (x
1
, . . . , x
m
) (g(x
1
), . . . , g(x
m
))
is injective.
In order to describe basic properties of uniquely decodable encodings, such as minimal
average length of codewords, we construct the following stochastic model:
Let X be a discrete random variable with support A and distribution P(X = x
j
) = p
j
modeling the random occurrence of characters. Let g : A
l=1
}
l
be an encoding with
codeword lengths n
1
, . . . , n
m
. We now dene
n = n(g) =
m
j=1
n
j
P(X = x
j
)
as the average wordlength of g.
The Noiseless Coding Theorem [Sha48] not only gives a lower boundary for n but also
states, that an encoding with only slightly larger average word length always exists:
Theorem 4.5 (Noiseless Coding Theorem). Let A and } be dened as above.
a) For any uniquely decodable encoding g it holds that
H(X)
log d
n(g).
b) There exists a uniquely decodable encoding g satisfying
n(g) <
H(X)
log d
+ 1.
Proof. The proof can be found in any book on information theory as for example [Mat96].
According to Theorem 4.5 the highest compression of a source that can be achieved by
encoding is approximately H(X)/ log d. Encoding alphabet A with xed length codes
over } needs approximately length n = log
d
m. Hence the fraction of possible reduction
is
H(X)
log
d
m log d
=
H(X)
log m
.
The remainder, 1
H(X)
log m
, is accordingly called redundancy (Note that
H(X)
log m
1).
The model used for the above results only partially describes properties of natural lan-
guage. In natural languages the occurrence of characters is not stochastically independent.
Thats why we now generalize our concept to stationary sources.
N 1 2 3
1
N
H(X
1
, . . . , X
N
) 4.14 3.56 3.30
Table 4.1.: Entropy of N-grams in English language
Denition 4.6. Let X
n
be a stationary sequence of random variables. Then
H
(X) = lim
N
1
N
H(X
1
, . . . , X
N
).
is called the entropy of the source.
Analogously we dene the redundancy of the source as
R = 1
H
(X)
log m
.
To give an impression of the structure of English language, we consider the entropy of
N-grams in English (cf. Table 4.1). The values given are estimated from long sequences
of text. Empirical investigations show, that in English language 1 < H
(X) 1.5. If we
assume, that H
(X) = 1.25, then the redundancy is

R = 1
1.25
log
2
26
= 0.734.
This means, that English language is about 73% redundant and there exist encodings to
compress English text to about 27% of its original length. It does not mean, that you can
arbitrarily remove 3 out of 4 characters.
4.2. Perfect Secrecy
In this section we apply the above results to cryptosystems (/, /, (, e, d) with nite sets
/ = M
1
, . . . , M
m
(message space),
/ = K
1
, . . . , K
k
(key space),
( = C
1
, . . . , C
n
(ciphertext space).
The stochastically independent random variables

M and

K with support / and / are
modeling the occurrence of messages and keys respectively.

M and

K have distributions
P(

M = M
i
) = p
i
, P(

K = K
j
) = q
j
.
The distribution of the random variable

C with support (, modeling the occurrence of
ciphertext, is uniquely determined, namely
P(

C = C
l
) = r
l
=
i,j:e(M
i
,K
j
)=C
l
p
i
q
j
, l = 1, . . . , n.
4.2. PERFECT SECRECY 25
The correspondig entropies of the random variables

M,

K and

C are given by
H(

M) =
m
i=1
p
i
log p
i
,
H(

K) =
k
j=1
q
j
log q
j
,
H(

C) =
n
l=1
r
l
log r
l
.
The conditional entropy H(

K [

C) is called key equivocation, analogously H(

M [

C) is
called message equivocation. These conditional entropies are a measure of information
gained by intercepting some ciphertext.
Some fundamental relationships among the entropies are given by the following theorem:
Theorem 4.7. For the key equivocation and the message equivocation it holds that
a) H(

K [

C) = H(

M [

C) +H(

K [

M,

C),
in particular it holds that H(

M [

C) H(

K [

C),
b) H(

K [

C) = H(

M) +H(

K) H(

C).
Proof. a) By using the chainrule from Theorem 4.3 we obtain
H(

M [

C) = H(

M,

C) H(

C) = H(

M,

K,

C) H(

K [

M,

C) H(

C)
H(

K [

C) = H(

K,

C) H(

C) = H(

M,

K,

C) H(

M [

K,

C)
. .
=0
H(

C)
H(

K [

C) = H(

M,

K,

C) H(

C) = H(

M [

C) +H(

K [

M,

C).
b) Use the fact that H(X, Y, f(X, Y )) = H(X, Y ) for any function f.
H(

K [

C) = H(

K,

C) H(

C)
= H(

M,

K,

C) H(

C), since

M = d(

C,

K)
= H(

M,

K) H(

C), since

C = e(

M,

K)
= H(

M) +H(

K) H(

C), since

M,

K are stochastically independent.
Example 4.8. Let / = / = ( = 0, 1. The distributions of

M,

K and

C are given by:

M Bin(1, p), i.e., P(

M = 1) = p, P(

M = 0) = 1 p, 0 p 1,

K Bin(1, q),

C = e(

M,

K) = (

M +

K) mod 2.
The random variables

M and

K are assumed to be stochastically independent.
Conditional distribution of

C given

M:
P(

C = 0 [

M = 0) =
P(

C = 0,

M = 0)
P(

M = 0)
=
P(

K = 0,

M = 0)
P(

M = 0)
=
(1 q)(1 p)
(1 p)
= 1 q
P(

C = 1 [

M = 0) = q.
Analogously: P(

C = 0 [

M = 1) = q and P(

C = 1 [

M = 1) = 1 q.
Joint distribution of (

M,

C):
P(

M = 0,

C = 0) = P(

M = 0 [

C = 0) P(

C = 0) = (1 p)(1 q).
Analogously:
C = 0

C = 1

M
M = 0 (1 q)(1 p) (1 p)q 1 p
M = 1 p q p(1 q) p
C 1 p q + 2pq p +q 2pq
Conditional entropy of

M given

C:
P(

M = 0 [

C = 0) =
(1 p)(1 q)
1 p q + 2pq
,
P(

M = 1 [

C = 0) =
pq
1 p q + 2pq
,
P(

M = 0 [

C = 1) =
(1 p)q
p +q 2pq
,
P(

M = 1 [

C = 1) =
p(1 q)
p +q 2pq
.
Together with Denition 4.2 we get H(

M,

C).
Special case for q =
1
2
(Select keys randomly with equal probability):
P(

M = 0 [

C = 0) = P(

M = 0 [

C = 1) = 1 p,

M,

C stochastically independent,
P(

M = 1 [

C = 0) = P(

M = 1 [

C = 1) = p.
By Theorem 4.3: H(

M) = H(

M [

C).
Denition 4.9. A cryptosystem (/, /, (, e, d) is said to have perfect secrecy, if
H(

M [

C) = H(

M).
We now dene the sets of cryptograms, keys and ciphertexts occurring with positive prob-
ability:
Denition 4.10. Let (/, /, (, e, d) be a cryptosystem. Then
/
+
:= M / [ P(

M = M) > 0,
/
+
:= K / [ P(

K = K) > 0,
(
+
:= C ( [ P(

C = C) > 0.
Corollary 4.11. (/, /, (, e, d) has perfect secrecy if and only if

M und

C are stochasti-
cally independent. This holds if and only if
P(

M = M
i
[

C = C
l
) = P(

M = M
i
) for all M
i
/, C
l
(
+
P(

C = C
l
[

M = M
i
) = P(

C = C
l
) for all C
l
(, M
i
/
+
.
Lemma 4.12. a) For any cryptosystem it holds that [(
+
[ [/
+
[.
b) If (/, /, (, e, d) has perfect secrecy, then [/
+
[ [(
+
[.
In particular it holds that [/
+
[ [(
+
[ [/
+
[.
Proof. a) Fix K /
+
. Then
[/
+
[ = [e(M, K)
. .
C
+
[ M /
+
[ [(
+
[.
b) Fix M /
+
. Then
P(

C = C [

M = M) = P(

C = C) > 0 for all C (
+
.
Hence, for all C (
+
there exists a K /
+
such that e(M, K) = C and thus
[(
+
[ = [e(M, K) [ K /
+
[ [/
+
[.
Theorem 4.13. Let (/, /, (, e, d) be a cryptosystem with P(

M = M) > 0, for all
M /, P(

K = K) > 0, for all K / and [/[ = [/[ = [([. Then (/, /, (, e, d) has
perfect secrecy if and only if
(i) P(

K = K) =
1
|K|
for all K /, and
(ii) for all M /, C ( there exists a unique K / such that e(M, K) = C.
Proof.
: For any M /, C ( there exists a unique K = K(M, C) / such that

e(M, K(M, C)) = C. It follows that
P(

C = C [

M = M)
=
P(e(

M,

K) = C,

M = M)
P(

M = M)
=
P(e(M,

K) = C,

M = M)
P(

M = M)
, since

M,

K are stochastically independent
= P(e(M,

K) = C)
= P(

K = K(M, C))
=
1
[/[
independent of M.
Hence,
P(

C = C) =
MM
P(

C = C [

M = M)
. .
=
1
|K|
P(

M = M)
=
1
[/[
MM
P(

M = M)
. .
=1
=
1
[/[
.
P(

C = C [

M = M) =
1
|K|
= P(

C = C), so

M and

C are stochastically
independent and from corollary 4.11 we get that (/, /, (, e, d) has perfect secrecy.
: Exercise.
Remark 4.14 (weakening of premises in Theorem 4.13).
a) Suppose that / = /
+
, / = /
+
, ( = (
+
. Then it is sucient to require that
[/[ = [/[, since from the property of perfect secrecy it follows that
[/
+
[ [(
+
[ [/
+
[ [/[ = [([ = [/[.
b)
remains valid, even if there exists M / with P(

M = M) = 0. This holds,
as we still have P(

C = C [

M = M) = P(

C = C) for all M /
+
For M / /
+
it holds that
P(

C = C,

M = M) = P(

C = C) P(

M = M) = 0
such that independence of

M and

C still holds.
4.2.1. Perfect Secrecy of the Vernam Cipher
A formal denition of the Vernam cipher (cf. Section 2.4) is given by:
A = 0, . . . , m1, /
N
= (
N
= /
N
= A
N
,

M
N
= (

M
1
, . . . ,

M
N
) random variable with support /
N
,

K
N
= (

K
1
, . . . ,

K
N
),

K
1
, . . . ,

K
N
i.i.d.,
P(

K
j
= i) =
1
m
i = 0, . . . , m1 j = 1, . . . , N,
e(M, K) = ((a
1
+s
1
) mod m, . . . , (a
N
+s
N
) mod m),

C
N
= e(

M
N
,

K
N
).
For any plaintext character select uniformly and independent at random a new key char-
acter (one time pad, one time tape).
Theorem 4.15. The Vernam cipher has perfect secrecy.
Proof. Use Theorem 4.13:
(i) For each M /
N
, C (
N
there exists exactly one K /
N
such that e(M, K) = C,
namely K = (s
1
, . . . , s
N
) with s
j
= (c
j
a
j
) mod m.
(ii)

K
N
is uniformly distributed over /
N
, as
P(

K
N
= K) = P(

K
1
= s
1
, . . . ,

K
N
= s
N
) =
N
i=1
P(

K
i
= s
i
) =
1
m
N
=
1
[ /
N
[
for all K = (s
1
, . . . , s
N
).
The assertion now follows from Theorem 4.13.
Disadvantages of the Vernam Cipher The main disadvantages of the Vernam cipher
are that [ /
+
[[ /
+
[ (one needs at least as many keys as plaintexts) and that these
keys have to be communicated over a secure channel in advance.
Thats why there exist only very limited commercial applications for the Vernam cipher.
On the other hand the one-time pad is said to have been used for encrypted communication
between Moscow and Washington in the times of the cold war.
5. Fast Block Ciphers
5.1. The Data Encryption Standard (DES)
On 15 May 1973 the National Bureau of Standards (NBS), which is now called National
Institute of Standards and Technology (NIST) solicited proposals for a cryptosystem.
An algorithm developed by IBM, that was based on a predecessor called LUCIFER was
chosen. This algorithm was developed by Roy Adler, Don Coppersmith, Horst Feistel,
Alan Konheim et al.
About two years later, on 17 March 1975 this algorithm was published as DES and a
public discussion started. In January 1977 DES was adopted as a standard for unclassied
applications.
DES was reviewed approximately every 5 years, the last time, its approval was ocially
renewed was in 1999. Initially the DES was expected to be a standard for about 10 - 15
years but it proved to be more durable.
5.1.1. Description of DES
The DES algorithm encrypts blocks of 64 bits using a key of length 56 bits. The repre-
sentation of the key uses 64 bits, for each 7 bits, one (odd) parity bit for error detection
is added, so the key of a DES cipher is of the form
K
0
= (k
1
, . . . , k
7
, b
1
, k
9
, . . . , k
15
, b
2
, k
17
. . . , k
57
, . . . , k
63
, b
8
).
From this key 16 round keys of length 48 bits are generated as described in the following
section.
Key Generation
To generate 16 roundkeys from the DES key K
0
rst divide the 56 key bits in two blocks
of 28 bits each as described in Table 5.1. These two blocks are called C
0
and D
0
.
In a second step generate C
n
, D
n
for n = 1, . . . , 16, from C
n1
, D
n1
by a cyclic leftshift
by s
n
positions, where s
n
is dened as follows:
s
n
=
_
1, if n 1, 2, 9, 16,
2, otherwise.
From each of these (C
n
, D
n
), n = 1, . . . , 16 one now selects 48 bits as described in Table 5.2.
Each of these 48 bit keys will be used in one standard building block of the encryption
procedure.
31
32 CHAPTER 5. FAST BLOCK CIPHERS
PC1
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
above for C
0
; below for D
0
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
Table 5.1.: Construction of the blocks C
0
and D
0
in the key generation of DES
PC2
14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
Table 5.2.: Bit selection procedure in the key generation of DES
Encryption Procedure
The plaintext is divided into blocks of length 64 bits, each of which being encrypted in a
procedure consisting of the following steps (cf. Figure 5.1):
An initial permutation (IP) of the input bits and splitting into 2 blocks of 32 bits
each (cf. Table 5.3).
16 rounds of the standard building block (SBB). The SBB is described below.
The inverse of the permutation of the IP called IP
1
(cf. Table 5.4).
Each of the 16 standard building blocks consist of the following operations, a graphical
representation of the i-th SBB is given in Figure 5.2:
The expansion map E doubles 16 of the 32 input bits and permutes the resulting 48
bits (cf. Table 5.5.
is the bitwise XOR operation of the block with the round key K
i
.
5.1. THE DATA ENCRYPTION STANDARD (DES) 33
IP
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
Table 5.3.: Initial permutation in the DES encryption procedure
IP
1
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
Table 5.4.: Inverse initial permutation in the DES encryption procedure
P stands for a permutation of the bits.
S is a transformation S : 0, 1
48
0, 1
32
. During this transformation the 48
input bits are partitioned into 8 blocks of 6 bits each, so we get
B = (B
1
, . . . , B
8
), with B
i
= (b
i1
, b
i2
, . . . , b
i6
).
The operation on each of these blocks is described in Table 5.7 with r = 2b
i1
+ b
i6
and s =
5
j=2
2
5j
b
ij
. The binary representation of the table entry contains the
result of the corresponding S-box.
Decryption Procedure
It holds that
L
i
= R
i1
, R
i
= L
i1
f(R
i1
, K
i
), i = 1, . . . , 16.
Hence R
i1
= L
i
, L
i1
= R
i
f(L
i
, K
i
), i = 1, . . . , 16.
R
16
and L
16
are interchanged in the last step. Hence, the same algorithm can be used for
decryption with the keys in reverse order.
E
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
Table 5.5.: Expansion step E in the DES encryption
P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
Table 5.6.: Permutation P in the DES encryption
Security of DES
Before DES was published in 1975, the IBM proposal was slightly changed by the NSA.
Non-conrmed rumors say, that the NSA wanted to make sure, that IBM doesnt have a
trapdoor, others speculate about the NSA itself wanting to include a trapdoor by these
modications.
Although the design criteria of the S-Boxes have never been fully published, the DES has
been shown to be vulnarable to only two types of attacks:
An exhaustive search on the 2
56
possible keys was realized in 1999 using the
DES-
Cracker together with a network of about 100000 workstation computers and needed
22 hours.
The dierential cryptanalysis introduced by Biham and Shamir at CRYPTO in 1992
(cf. [BS93]) can be used to lower the complexity of an attack against DES.
An attack remains complex even with this method, because the S-Boxes are op-
timized against dierential cryptanalysis, although this method was not known to
public when the DES was developed. It is still not known, whether the IBM re-
searchers already knew about this sort of attacks in 1973.
5.1. THE DATA ENCRYPTION STANDARD (DES) 35
32
32
48
SBB
1
SBB 1
16
64
64
48
32
32
. . .
32
IP
32
32
32
IP
16 rounds
K
16
K
1

Figure 5.1.: The DES Encryption Procedure
E S P
32
32
32
32 32 48 48 32
R
i1
L
i1 L
i
K
i
R
i
Figure 5.2.: The i-th standard building block of the DES encryption
The DES algorithm should no longer be used, as the 56 bit key is too short, it can be
cracked with todays hardware in relatively short time. This criticism lead to an extension
of DES which is called triple-DES or 3-DES:
Triple-DES
The idea of 3-DES is to use DES three times with dierent keys. There exists 2 variants:
The 3-Key-3-DES uses a 168 bit key K = (K
1
, K
2
, K
3
) and encryption of a 64 bit
block m is done via:
c = DES
K
3
(DES
1
K
2
(DES
K
1
(m))).
The 2-Key-3-DES uses a 112 bit key K = (K
1
, K
2
). Encryption of a 64 bit block m
is done via:
c = DES
K
1
(DES
1
K
2
(DES
K
1
(m))).
In both cases the DES
1
in the second step is used to ensure compatibility with DES with
K
1
= K
2
= K
3
.
row column number (s)
r [0] [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
S
1
[0] 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
[1] 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
[2] 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
[3] 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S
2
[0] 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
[1] 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
[2] 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
[3] 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S
3
[0] 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
[1] 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
[2] 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
[3] 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S
4
[0] 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
[1] 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
[2] 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
[3] 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S
5
[0] 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
[1] 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
[2] 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
[3] 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S
6
[0] 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
[1] 10 15 4 2 7 9 12 5 6 1 13 14 0 11 3 8
[2] 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
[3] 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S
7
[0] 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
[1] 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
[2] 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
[3] 6 11 13 8 1 4 10 7 9 5 0 15 14 3 2 12
S
8
[0] 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
[1] 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
[2] 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
[3] 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
Table 5.7.: S-boxes S
1
, . . . , S
8
of the DES encryption
5.2. THE ADVANCED ENCRYPTION STANDARD (AES) 37
5.2. The Advanced Encryption Standard (AES)
In september 1997 the NIST put out a call for a replacement of DES. The requirements
for the successor were, that it should work with a block length of 128 bits and that it
should support key lengths of 128, 192 and 256 bits. The deadline for the submission of
proposals was set to June 1998.
There were 21 submitted proposals and after three AES-conferences the so called
Rijn-
dael algorithm developed by Vincent Rijmen and Joan Daemen was chosen in an open
and fair competition. The other 4 nalists were
MARS submitted by IBM,
RCG
developed by RSA,
Serpent by Biham et al. and
Twosh constructed by Schneier

et al.
5.2.1. Encryption Procedure
As required in the call, the AES encryption can work with keys of size 128, 192 or 256
bits. Most of the computations are in the eld
F
2
8 = F
2
[X]/(x
8
+x
4
+x
3
+x + 1)F
2
[X].
The length of the key determines the number r of rounds of the encryption procedure (see
below): For a key of size 128 bits we have r = 10 rounds, for 192 bits r is 12 and a 256
bits key leads to an encryption procedure that consists of 14 rounds. A key expansion
function generates r +1 roundkeys K
0
, . . . , K
r
of size 128 bits from the encryption key K,
where r denotes the number of rounds.
The plaintext m is divided into blocks of length 128 bits. Each of the blocks is organized
in a 4 4 byte matrix. In this matrix the rst byte becomes b
0,0
, the second one becomes
b
1,0
, the fth one becomes b
0,1
and so on. Such a byte matrix will be called state.
_
_
_
_
b
0,0
b
0,1
b
0,2
b
0,3
b
1,0
b
1,1
b
1,2
b
1,3
b
2,0
b
2,1
b
2,2
b
2,3
b
3,0
b
3,1
b
3,2
b
3,3
_
_
_
_
Also each of the roundkeys K
0
, . . . , K
r
is organized in such a matrix. The encryption is
carried out in the following steps:
Bytewise XOR of each state with the roundkey K
0
(AddRoundKey)
Rounds 1, . . . , r 1 consist of the following steps:
SubBytes,
ShiftRows,
MixColumns,
AddRoundKey.
The last round just consists of SubBytes, ShiftRows and AddRoundKey.
In what follows the four substeps of each round are described in detail:
SubBytes
99 124 119 123 242 107 111 197 48 1 103 43 254 215 171 118
202 130 201 125 250 89 71 240 173 212 162 175 156 164 114 192
183 253 147 38 54 63 247 204 52 165 229 241 113 216 49 21
4 199 35 195 24 150 5 154 7 18 128 226 235 39 178 117
9 131 44 26 27 110 90 160 82 59 214 179 41 227 47 132
83 209 0 237 32 252 177 91 106 203 190 57 74 76 88 207
208 239 170 251 67 77 51 133 69 249 2 127 80 60 159 168
81 163 64 143 146 157 56 245 188 182 218 33 16 255 243 210
205 12 19 236 95 151 68 23 196 167 126 61 100 93 25 115
96 129 79 220 34 42 144 136 70 238 184 20 222 94 11 219
224 50 58 10 73 6 36 92 194 211 172 98 145 149 228 121
231 200 55 109 141 213 78 169 108 86 244 234 101 122 174 8
186 120 37 46 28 166 180 198 232 221 116 31 75 189 139 138
112 62 181 102 72 3 246 14 97 53 87 185 134 193 29 158
225 248 152 17 105 217 142 148 155 30 135 233 206 85 40 223
140 161 137 13 191 230 66 104 65 153 45 15 176 84 187 22
Table 5.8.: Lookup-table for the SubBytes Operation of the AES-Algorithm,
column=(b
3
, b
2
, b
1
, b
0
) and row=(b
7
, b
6
, b
5
, b
4
)
SubBytes Each byte (b
7
b
6
. . . b
0
) of each state is viewed as the element b = b
7
x
7
+b
6
x
6
+
+ b
0
of F
2
8 (represented by F
2
[x]/(x
8
+ x
4
+ x
3
+ x + 1)F
2
[x]). First the element b is
inverted in F
2
8, then the coecients of this multiplicative inverse are written as (y
7
. . . y
0
)
and transformed by the following ane map:
_
_
_
_
_
_
_
_
_
_
_
_
r
0
r
1
r
2
r
3
r
4
r
5
r
6
r
7
_
_
_
_
_
_
_
_
_
_
_
_
=
_
_
_
_
_
_
_
_
_
_
_
_
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
y
0
y
1
y
2
y
3
y
4
y
5
y
6
y
7
_
_
_
_
_
_
_
_
_
_
_
_
+
_
_
_
_
_
_
_
_
_
_
_
_
1
1
0
0
0
1
1
0
_
_
_
_
_
_
_
_
_
_
_
_
.
In implementations where memory is not strictly limited, this step can be implemented
as a 256-entry lookup table (cf. Table 5.8). For an input (b
7
, . . . , b
0
) the returned output
is bin(s
(b
7
,...,b
4
),(b
3
,...,b
0
)
).
ShiftRows In this transformation step each but the rst row of the state is shifted
cyclically to the left. The second row is shifted by one byte, the third by two bytes and
the fourth by three bytes:
5.2. THE ADVANCED ENCRYPTION STANDARD (AES) 39
_
_
_
_
b
0,0
b
0,1
b
0,2
b
0,3
b
1,0
b
1,1
b
1,2
b
1,3
b
2,0
b
2,1
b
2,2
b
2,3
b
3,0
b
3,1
b
3,2
b
3,3
_
_
_
_
ShiftRows
_
_
_
_
b
0,0
b
0,1
b
0,2
b
0,3
b
1,1
b
1,2
b
1,3
b
1,0
b
2,2
b
2,3
b
2,0
b
2,1
b
3,3
b
3,0
b
3,1
b
3,2
_
_
_
_
=
_
_
_
_
c
0,0
c
0,1
c
0,2
c
0,3
c
1,0
c
1,1
c
1,2
c
1,3
c
2,0
c
2,1
c
2,2
c
2,3
c
3,0
c
3,1
c
3,2
c
3,3
_
_
_
_
.
MixColumns In this step again each byte c
ij
of the state is regarded as an element of
F
2
8. Now the transformation of MixColumns can be described by a multiplication with a
matrix A F
44
2
8
:
_
_
_
_
00000010 00000011 00000001 00000001
00000001 00000010 00000011 00000001
00000001 00000001 00000010 00000011
00000011 00000001 00000001 00000010
_
_
_
_
_
_
_
_
c
0,0
c
0,1
c
0,2
c
0,3
c
1,0
c
1,1
c
1,2
c
1,3
c
2,0
c
2,1
c
2,2
c
2,3
c
3,0
c
3,1
c
3,2
c
3,3
_
_
_
_
=
_
_
_
_
d
0,0
d
0,1
d
0,2
d
0,3
d
1,0
d
1,1
d
1,2
d
1,3
d
2,0
d
2,1
d
2,2
d
2,3
d
3,0
d
3,1
d
3,2
d
3,3
_
_
_
_
.
This matrix multiplication can be eciently implemented, because a multiplication with
x is just a bit-shift and a multiplication with x + 1 is an XOR with the bit-rotated byte.
Addition is nothing but an XOR-operation.
Another way to compute this operation is to regard each column c
j
as a four term poly-
nomial f = c
3
u
3
+c
2
u
2
+c
1
u +c
0
over F
2
8. This polynomial is now multiplied by a xed
polynomial a(u) = (x + 1)u
3
+ u
2
+ u + x F
2
8[u] and reduced modulo u
4
+ 1 F
2
8[u]
afterwards.
This operation can also be written as a multiplication with a matrix T F
44
2
8
:
_
_
_
_
r
0
r
1
r
2
r
3
_
_
_
_
=
_
_
_
_
x (x + 1) 1 1
1 x (x + 1) 1
1 1 x (x + 1)
(x + 1) 1 1 x
_
_
_
_
_
_
_
_
c
0
c
1
c
2
c
3
_
_
_
_
.
AddRoundKey In round i, the roundkey K
i
is added bitwise to each 128 bit block.
_
_
_
_
d
0,0
d
0,1
d
0,2
d
0,3
d
1,0
d
1,1
d
1,2
d
1,3
d
2,0
d
2,1
d
2,2
d
2,3
d
3,0
d
3,1
d
3,2
d
3,3
_
_
_
_
_
_
_
_
k
0,0
k
0,1
k
0,2
k
0,3
k
1,0
k
1,1
k
1,2
k
1,3
k
2,0
k
2,1
k
2,2
k
2,3
k
3,0
k
3,1
k
3,2
k
3,3
_
_
_
_
=
_
_
_
_
e
0,0
e
0,1
e
0,2
e
0,3
e
1,0
e
1,1
e
1,2
e
1,3
e
2,0
e
2,1
e
2,2
e
2,3
e
3,0
e
3,1
e
3,2
e
3,3
_
_
_
_
.
5.2.2. Key Expansion
The key expansion function is only described for a key size of 128 bits, it works similar
for key sizes of 192 and 256 bits; details can be found in [DR]. In the following the
encryption key K is viewed as a 4-tuple of 32 bit words: K = W
0
, W
1
, W
2
, W
3
. Algorithm
1 generates an array of 4 (r + 1) 32 bit words W = W
0
, W
1
. . . W
4r+3
. This array
is then split into roundkeys K
0
= (W
0
, W
1
, W
2
, W
3
), K
1
= (W
4
, W
5
, W
6
, W
7
), . . . , K
r
=
(W
4r
, W
4r+1
, W
4r+2
, W
4r+3
) of length 128 bits.
The description of the algorithm uses the function SubBytes already described above, the
function RotByte, which is just a cyclic leftshift by one byte and the function Rcon, that
is dened as follows:
Rcon(i) = (RC(i), 0x00, 0x00, 0x00)
RC(i) representing x
i1
as element of F
2
8
Algorithm 1 AES key expansion
Split K into 4 32-bit words W
0
, W
1
, W
2
, W
3
for (i 4; i < 4 (r + 1); i + +) do
tmp W
i1
if (i mod 4 = 0) then
tmp SubBytes(RotByte(tmp)) Rcon(i/4)
end if
W
i
W
i4
tmp
end for
5.2.3. Decryption
Inverting the cipher operations and implementing the algorithm with these inverted trans-
formations InvShiftRows, InvSubBytes, InvMixColumns and AddRoundKey in reverse or-
der leads to the decryption procedure of AES. In contrast to the DES algorithm, decryption
is not just applying the same algorithm with the session keys in reverse order.
5.2.4. Design Considerations and Security
Unlike the design of the DES algorithm, the design criteria of the AES algorithm are fully
documented and have been discussed on various conferences and meetings. These design
criteria include the following considerations:
If one byte is modied in the plaintext, then all 16 Bytes are already modied after
two rounds of the AES encryption.
The design of the S-Box in the SubBytes operation as an operation in F
2
8 is highly
non-linear and built to resist dierential and linear cryptanalysis. Furthermore the
simple, algebraic design allows for very ecient implementation on most platforms
(cf. [NBB
+
00]). The open discussion and the simple design foreclosed suspicion of
built-in trapdoors.
5.3. OTHER BLOCK CIPHERS 41
The ShiftRows operation is included, to avoid so called truncated dierential attacks
and the Square attack named after the cryptosystem
Square it was rst successfully

applied to.
The MixColumns operation causes diusion among the bytes.
The elaborate key-schedule is used to avoid advantages from knowing parts of the
key.
Presently there are no better attacks known than exhaustive key search. Faster
attacks can be applied when reducing the number of rounds.
5.3. Other Block Ciphers
There exist several other block ciphers, like the International Data Encryption Algorithm
(IDEA) designed by Lai and Massey which was rst presented on Eurocrypt 90. It is
patented in Europe and USA, the non-commercial use is free.
Other block cipher algorithms used today include Blowsh, Khazad, Anubis and some
AES-nalists like Serpent and Twosh.
5.4. Modes of Operation
A blockcipher with key K, in the following denoted E
K
, can be used in dierent so called
modes of operation. The most obvious one is the electronic codebook mode (ECB):
5.4.1. Electronic Codebook Mode (ECB)
Using the electronic codebook mode, each block M
i
of a plaintext M = (M
1
, . . . , M
n
) is
encrypted by directly applying the block cipher E
K
:
Encryption: C
i
= E
K
(M
i
)
Decryption: M
i
= E
1
K
(C
i
)
5.4.2. Cipher-Block Chaining Mode (CBC)
The cipher-block chaining mode makes use of a non-secret initial vector C
0
. Before apply-
ing the encryption function E
K
, each plaintext block M
i
is added bitwise to the preceding
cipherblock C
i1
:
Encryption: C
i
= E
K
(M
i
C
i1
)
Decryption:
C
i1
M
i
= E
1
K
(C
i
) hence,
M
i
= E
1
K
(C
i
) C
i1
5.4.3. Output Feedback Mode (OFB)
Also the output feedback mode makes use of a non-secret initial vector Z
0
= C
0
. Starting
from this initial vector a keystream is generated using the blockcipher E
K
. This keystream
is then added bitwise to the plaintext:
Encryption: Z
i
= E
K
(Z
i1
), C
i
= M
i
Z
i
Decryption: Z
i
= E
K
(Z
i1
), M
i
= C
i
Z
i
5.4.4. Cipher Feedback Mode (CFB)
The cipher feedback mode also generates a keystream based on a non-secret initial vector
Z
0
= C
0
; here the keystream is based on the predecessing ciphertext:
Encryption: Z
i
= E
K
(C
i1
), C
i
= M
i
Z
i
Decryption: M
i
= C
i
Z
i
= C
i
E
K
(C
i1
)
5.4.5. Counter Mode (CTR)
The counter mode starts with an arbitrary counter Z
1
= C
0
and then the counter is
incremented by one for each block, i. e. Z
i+1
= Z
i
+ 1. The keystream is based on the
following procedure:
Encryption: C
i
= E
K
(Z
i
) M
i
Decryption: M
i
= E
K
(Z
i
) C
i
In ECB, OFB and CTR modes, changing one plaintext block does not aect other cipher-
text blocks. In CBC and CFB modes, changing one plaintext block aects all subsequent
ciphertext blocks. This is appropriate for generating a so called message authentication
code:
Example (Message Authentication Code). For a message M = (M
1
, . . . , M
n
) append C
n
generated with CBC or CFB mode to the message. If Oscar tampers with (M
1
, . . . , M
n
),
C
n
does not t anymore. The authorized receiver, who knows the key K used for the
generation of C
n
can easily verify C
n
, hence the integrity or authenticity of (M
1
, . . . , M
n
).
Example (Sharing Passwords). Storing plaintext passwords is insecure. Hence the fol-
lowing procedure is applied.
A user enters the tuple (name, password).
The system generates key K = k(name, password) and stores (name, E
K
(password)).
When logging in the system compares the tuple (name, E
K
(password)) with the
stored value.
Using this procedure the knowledge of (name, E
K
(password)) is useless for an intruder.
6. Number-Theoretic Reference Problems
This chapter introduces some basic information about number theory that is useful for
cryptographic methods and protocols.
In this chapter we consider Z
n
= Z/nZ, the ring of equivalence classes dened by the
following equivalence relation on Z:
s t or s t (mod n) n [ (s t).
We easily see that (Z
n
, +, ) forms a commutative ring. Lets now consider the set of units
of this ring:
Denition 6.1. The set
Z
n
:= a Z
n
[ gcd(a, n) = 1
is called the multiplicative group of Z
n
. The function
(n) = [Z
n
[
is called Euler -function.
Remark.
(p) = p 1 for any prime p.
Z
n
is a multiplicative abelian group; it holds that
gcd(a, n) = 1 There exists the inverse s of a, i.e., a s 1 (mod n).
In the following we will also use the notation (a, n) := gcd(a, n).
If (a, n) = 1, a and n are called relatively prime or coprime.
Theorem 6.2 (Euler, Fermat). Let a Z
n
. Then
a
(n)
1 (mod n).
In particular Fermats little theorem holds, which states that if
p is prime and (a, p) = 1, then a
p1
1 (mod p).
6.1. Primality Testing
This section presents algorithms to test whether a given number 2 n N is prime. If n
is not prime we will say that n is composite.
43
44 CHAPTER 6. NUMBER-THEORETIC REFERENCE PROBLEMS
6.1.1. Fermat Primality Test (FPT)
From Fermats little theorem (cf. Theorem 6.2) a probabilistic primality test for integers
n N is derived as follows:
Fermats Primality Test (FPT) Select a 2, . . . , n 1 at random. Decide that
_
n is prime, if a
n1
1 (mod n),
n is composite, otherwise.
If for composite n there are suciently many a 2, . . . , n1 with a
n1
, 1 (mod n), a
high success probability can be achieved by independent repetition of the test. Lets now
consider the cardinality of the set a 2, . . . , n 1 [ a
n1
, 1 (mod n).
Lemma. It holds that if
n is composite and a Z
n
Z
n
, then a
n1
, 1 (mod n).
Proof. Suppose a
n1
1 (mod n) = a
1
exists, namely a
1
= a
n2
= a Z
n
.
This is a contradiction to the assumption that a Z
n
Z
n
.
So the least favorable case for the above procedure occurs, if n is composite and a
n1
1
(mod n) for all a Z
n
. Such numbers n are called Carmichael numbers, the rst ones
are 561, 1105, 1729, 2465, 2821, 6601, 29341, 172081, 278545. Alford et al proved in [AGP94]
that there exist innitely many Carmichael numbers.
However, if n is not a Carmichael number, the following proposition states that there exist
suciently many a 2, . . . , n 1 fullling a
n1
, 1 (mod n):
Proposition 6.3. Let n be composite, odd, no Carmichael number. Then
[a Z
n
0 [ a
n1
, 1 (mod n)[
n
2
.
Proof. Consider the set K
n1
:= a Z
n
[ a
n1
1 (mod n). It holds that K
n1
Z
n
,
as all a K
n1
have multiplicative inverses. Furthermore K
n1
is a subgroup of Z
n
,
because
it is closed under multiplication,
the multiplication is associative,
1 K
n1
,
the inverse of a, namely a
n2
is in K
n1
, as (a
n2
)
n1
= (a
n1
)
n2
1 (mod n).
As a is not a Carmichael number, there exists a Z
n
such that a , K
n1
, so K
n1
is a
proper subgroup of Z
n
. By Lagranges theorem it holds that
[K
n1
[ divides [Z
n
[,
6.1. PRIMALITY TESTING 45
hence
[K
n1
[
1
2
[Z
n
[
n 2
2
.
Finally we conclude that
[Z
n
0 K
n1
[ n 1
n 2
2
=
n
2
.
Hence, provided n is not a Carmichael number, it holds for the FPT that
P(FPT states
n composite [ n composite)
1
2
, or equivalently
P(FPT states
n prime [ n composite)
1
2
.
Moreover, it holds that
P(FPT states
n prime [ n prime) = 1.
The big disadvantage of this simple test, which can be easily implemented, is the worst-
case behaviour occurring if n is a Carmichael number. In the following we will therefore
consider a primality test without such disadvanteges.
6.1.2. Miller-Rabin Primality Test (MRPT)
The MRPT is a probabilistic test satisfying for any integer n that
n prime = the algorithm declares
n prime with probability 1, and

n composite = the algorithms declares
n composite with probability not smaller

than
3
4
.
Denition 6.4. Let n = 1+q2
k
, q odd. Any odd integer n has a unique representation of
this form. Let further a N, 2 a n1. We call a a strong witness (to compositeness), if
i) a
q
, 1 (mod n),
ii) a
q2
i
, 1 (mod n) for all i = 0, . . . , k 1.
If a is a strong witness for the compositeness of n we will denote this by a W(n).
Proposition 6.5.
a W(n) n is composite.
Proof. Suppose a W(n) and n prime. By Theorem 6.2 it holds that
a
n1
= a
q2
k
1 (mod n).
Now consider successive squares
a
q
..
1 (mod n)
, a
q2
, a
q2
2
, a
q2
3
. . . , a
q2
k
..
1 (mod n)
.
Let
j = max0 i k 1 [ a
q2
i
, 1 (mod n).
So we get b = a
q2
j
, such that b , 1 (mod n) and b
2
1 (mod n). But since n is supposed
to be prime, Z
n
is a eld and hence b = 1 or b = 1.
As b , 1 (mod n) it follows that b = 1, a contradiction to denition 6.4.
There are only a few a 2, . . . , n 1 with a , W(n). A more precise statement about
the cardinality of W(n) is given by the following theorem:
Theorem 6.6. For any odd, composite n N it holds that
[a [ 2 a n 1, a , W(n)[
n
4
.
Proof. The proof can be found in [Rab80] or [Kob87a].
Hence, choosing a at random in 2, . . . , n 1 with a , W(n) has probability
1
4
.
Algorithm 2 Miller-Rabin Primality Test
Write n = 1 +q2
k
, q odd
Choose a 2, . . . , n 1 uniformly distributed at random
y a
q
mod n
if (y = 1) OR (y = n 1) then
return
n prime
end if
for (i 1; i < k; i
++
) do
y y
2
mod n
if (y = n 1) then
return
n prime
end if
end for
return
n composite
The above considerations lead to Algorithm 2 to test, whether an integer n is prime
or composite. If this algorithm is applied M times with independently generated a
2, . . . , n 1, it holds that
P(MRPT states
n prime [ n composite)
_
1
4
_
M
, and
P(MRPT states
n prime [ n prime) = 1.
6.2. THE INTEGER FACTORIZATION PROBLEM 47
6.1.3. Deterministic Primality Testing
Since August 6, 2002 there exists a polynomial time deterministic algorithm that deter-
mines whether an input number n is prime or composite, see [AKS02]. This algorithm is
much slower than the probabilistic algorithm MRPT, for most applications unacceptably
slow. This is why the MRPT is still used in most applications.
6.1.4. Finding Large Prime Numbers
The algorithms presented in this section can also be used to nd large prime numbers:
The idea is, to choose a large, odd n N and then iterate n n + 2 until a prime
number n is found. The prime number theorem indicates, that this algorithm terminates
after a reasonable period of time:
Theorem 6.7 (Prime Number Theorem). It holds that
[p [ p n, p prime[
n
ln n
.
Proof. See [HW79].
Hence, the probability that a randomly chosen m n N is prime is approximately
1
ln n
,
so for example, for n = 2
512
we get (by selecting only odd integers)
2
ln 2
512

1
177.4
.
6.2. The Integer Factorization Problem
From the algorithms described in the preceding section we learned, that the task to decide,
whether a given number is prime or composite is computationally
easy. A much harder

task is to compute the prime factorization of a given integer n. The naive
trial-division-
algorithm is much too inecient for large numbers n, some more advanced algorithms,
like the quadratic sieve and the number eld sieve are based on the following proposition:
Proposition 6.8. Let x , y (mod n) and x
2
y
2
(mod n), then the greatest common
divisor of x y and n is a nontrivial factor of n.
Proof. x
2
y
2
(mod n), i.e., n [ x
2
y
2
= n [ (x y)(x + y). But by assumption
n (x y) and n (x + y), hence the factors of n must be
shared between (x y) and

(x +y), hence the assertion follows.
The greatest common divisor of two numbers a and b can be eciently computed using
Euclids extended algorithm.The problem of nding x and y fullling the conditions de-
scribed in Proposition 6.8 can be solved by the quadratic sieve due to Pomerance and the
number eld sieve. The time complexity of these algorithms is given in Table 6.1.
Algorithm Complexity
Quadratic Sieve O(exp((1 +o(1))
ln nln ln n))
Elliptic Curve Factoring O(exp((1 +o(1))
2 ln p ln ln p))
Number Field Sieve O(exp((1.92 +o(1))(ln n)
1
3
(ln ln n)
2
3
))
Table 6.1.: Time complexity of the three most important factoring methods (p is the small-
est prime factor of n)
Year Number Remarks
1994 RSA-129 Factored by Atkins, Gro, Lenstra, Leyland. They used a dis-
tributed quadratic sieve factoring method on 600 workstations.
1996 RSA-130
1999 RSA-155 8400 MIPS-years, about 300 PCs and workstations
2003 RSA-576 Factored by Franke et al. using a distributed version of the number
eld sieve (changed naming convention, RSA-576 has 174 digits)
2005 RSA-640 Factored by Bahr, Boehm, Franke and Kleinjung, the eord was
about 30 2.2GHz-Opteron-CPU years (RSA-640 has 193 digits)
2009 RSA-768 Factored by Kleinjung et.al using 2000 2.2 GHz-Opteron-CPU
years. (RSA-768 has 232 digits)
Table 6.2.: Factored RSA challenge numbers and used algorithms
History of Factoring The history of factoring can be described following the successfully
factored RSA-challenge numbers. These numbers of the form n = p q for two primes
p and q are published by RSA Company (http://www.rsasecurity.com). Originally the
naming convention for such a challenge number m was RSA-d, where d is the number of
digits of n. This convention changed to RSA-b, where b is the number of bits of n. Table
6.2 gives an impression of which RSA challenge numbers have been factored.
The time complexities for factoring algorithms described above indicate that factoring can
be considered as a one-way function. The computation of the product n = p q is easy,
whereas the inverse operation the factorization of n into p and q is computationally
infeasible.
6.3. The Extended Euclidean Algorithm
The Euclidean Algorithm (cf. Algorithm 3 for a pseudocode representation) computes the
greatest common divisor d of two integers a and b. It is based on the following lemma:
Lemma. Let a, b Z. Then gcd(a, b) = gcd(b, a qb) q Z.
Proof. (i) x [ a and x [ b = x [ b and x [ a qb,
6.3. THE EXTENDED EUCLIDEAN ALGORITHM 49
(ii) x [ b and x [ a qb = b = l
1
x and a qb = l
2
x = a = l
2
x +ql
1
x = x [ a.
By carrying along some intermediate results during this computation, the algorithm can
also be used to compute integers u and v, such that a u + b v = gcd(a, b) = d. This
variant of the algorithm is known as Extended Euclidean Algorithm, for a pseudocode
description cf. Algorithm 4.
Observe that, if gcd(a, b) = 1, then au+bv = 1 = au 1 (mod b), hence the Extended
Euclidean Algorithm can also be used to invert an integer a modulo another integer b.
Example 6.9. In order to compute the multiplicative inverse of 1234 modulo 2009 we
rst derive equations from the Euclidean Algorithm as follows:
2009 = 1 1234 + 775
1234 = 1 775 + 459
775 = 1 459 + 316
459 = 1 316 + 143
316 = 2 143 + 30
143 = 4 30 + 23
30 = 1 23 + 7
23 = 3 7 + 2
7 = 3 2 + 1.
Now, that we have computed the greatest common divisor of 1234 and 2009, which is one,
we backwards replace the remainders of the division steps:
1 = 7 3 2
= 7 3 (23 3 7) = 10 7 3 23
= 10 (30 23) 3 23 = 10 30 13 23
= 10 30 13(143 4 30) = 62 30 13 143
= 62 (316 2 143) 13 143 = 62 316 137 143
= 62 316 137(459 316) = 199 316 137 459
= 199 (775 459) 137 459 = 199 775 336 459
= 199 775 336 (1234 775) = 535 775 336 1234
= 535 (2009 1234) 336 1234 = 535 2009 871 1234.
As 535 2009 871 1234 = 1 = (871) 1234 1 (mod 2009) we conclude that
(871)
2009
1138 is the multiplicative inverse of 1234 modulo 2009.
Algorithm 3 The Euclidean Algorithm
Input: Integers a and b.
Output: The greatest common divisor d of a and b
while (b ,= 0) do
r a mod b
a b
b r
end while
return a
Algorithm 4 The Extended Euclidean Algorithm
Input: Integers a and b.
Output: An integer tuple (u, d, v) satisfying a u +b v = d = gcd(a, b)
u 1
v 0
d a
v
1
0
v
3
b
while (v
3
,= 0) do
q
d
v
3
|
t
3
d mod v
3
t
1
u qv
1
u v
1
d v
3
v
1
t
1
v
3
t
3
end while
v
dau
b
return (u, d, v)
6.4. THE CHINESE REMAINDER THEOREM 51
The number of divisions in the Euclidean Algorithm is not greater than log
5a) 2,
where =
1
2
(1 +
5)
. .
Golden ratio
and a > b is the greater argument of the algorithm. The least
favorable case occurs, if a and b are successive Fibonacci numbers.
6.4. The Chinese Remainder Theorem
The Chinese remainder theorem provides a method for solving systems of congruences.
This will be useful in the following.
Theorem 6.10 (Chinese remainder theorem). Suppose m
1
, . . . , m
r
are pairwise relatively
prime, a
1
, . . . , a
r
N.
The system of congruences
x a
i
(mod m
i
), i = 1, . . . , r
has a unique solution modulo M =
r
i=1
m
i
, given by
x =
r
i=1
a
i
M
i
y
i
(mod M),
where M
i
=
M
m
i
, y
i
= M
1
i
mod m
i
, i = 1, . . . , r.
Proof. Exercise.
7. The Discrete Logarithm and Related
Cryptosystems
The discrete logarithm forms the basis of numerous cryptographic protocols, the most
famous is the ElGamal cryptosystem.
Denition 7.1. Let n N 1, a Z
n
. Then
ord
n
(a) = mink 1, . . . , (n) [ a
k
1 (mod n)
is called the order of a modulo n. If ord
n
(a) = (n) we call a primitive element modulo n.
If a is a primitive element modulo n, then for the powers of a it holds that
a, a
2
, a
3
, . . . , a
(n)1
, 1 (mod n),
and there exist no 1 i < j (n) with a
i
a
j
(mod n), as for then a
ji
1 (mod n),
a contradiction to denition 7.1. Hence,
a = a, a
2
, a
3
, . . . , a
(n)
= Z
n
.
Z
n
consists just of powers of a. Such groups are called cyclic, a is called generator.
The question, whether for a given n the group Z
n
is cyclic or not, is answered by the
following theorem:
Theorem 7.2. Let n N.
a) There exists a primitive element modulo n if and only if
n 2, 4, p
k
, 2p
k
[ p 3 prime, k N.
b) If there exists a primitive element modulo n, then there exist ((n)) many.
Proof. Exercise.
Example 7.3. Let n = 7, (n) = 6. Determine all primitive elements modulo n:
a powers of a in Z
7
a = 2 a = 2, a
2
= 4, a
3
= 1 = 2 is not a primitive element modulo 7
a = 3 a = 3, a
2
= 2, a
3
= 6, a
4
= 4, a
5
= 5, a
6
= 1 = 3 is a primitive
element modulo 7
a = 5 a = 5, a
2
= 4, a
3
= 6, a
4
= 2, a
5
= 3, a
6
= 1 = 5 is a primitive
element modulo 7
53
54 CHAPTER 7. THE DISCRETE LOGARITHM
It holds that ((7)) = (6) = [1, 5[ = 2. Hence, 3 and 5 are the only primitive elements
modulo 7.
Now that generators of Z
n
are dened we can dene the discrete logarithm as follows:
Denition 7.4. Let a be a primitive element modulo n, y Z
n
. There exists a unique
x 0, . . . , (n) 1 with a
x
y (mod n). x is called the discrete logarithm of y. We
will use the notation x = log
a
y.
Exponentiation Modulo n as a One-Way Function The function y = a
x
mod n can be
considered a one-way function, as the exponentiation can be eciently computed using
the so called
square and multiply algorithm(cf. Algorithm 5), whereas the computation

of the discrete logarithm is computationally infeasible for appropriate a and n.
Algorithm 5 Square and multiply
Input: x = (x
t
, . . . , x
0
) N, a N
Output: a
x
mod n
1: y a
2: for (i = t 1, i 0, i--) do
3: y y
2
mod n
4: if (x
i
= 1) then
5: y y a mod n
6: end if
7: end for
8: return y
The number of multiplications in Algorithm 5 is log
2
x| + (x) 1, where (x) is the
number of bits with value one in the binary representation of x.
An overview of existing algorithms for the computation of the discrete logarithm is given in
[MvOV96], Chapter 3, a more detailed description can be found in [CFD
+
06], Chapter 19.
7.1. Die-Hellman Key Distribution and Key Agreement
Based on the one-way function described in the preceding section, Die and Hellman
developed an (unauthenticated) key agreement protocol [DH76], allowing two parties to
establish a shared (secret) key over an open channel. The system consists of the following
steps:
Initial setup:
A prime p and a primitive element a modulo p are selected and published.
Protocol actions:
A chooses a random secret x 2, . . . , p 2 and sends to B: u = a
x
mod p.
B chooses a random secret y 2, . . . , p 2 and sends to A: v = a
y
mod p.
B receives u and computes the shared key u
y
= (a
x
)
y
mod p.
A receives v and computes the shared key v
x
= (a
y
)
x
mod p.
7.1. DIFFIE-HELLMAN KEY DISTRIBUTION AND KEY AGREEMENT 55
The rst step, the generation of p and a, that is, to test, whether a given a 2, . . . , p1
is a primitive element modulo p can be done using the following proposition:
Proposition 7.5. Let p 3 be prime, p 1 =
k
i=1
p
t
i
i
the prime factorization of p 1.
Then
a is a primitive element modulo p a
(p1)/p
i
, 1 (mod p) i = 1, . . . , k.
Hence, appropriate parameters p and a can be found by rst choosing a large random
prime q until p = 2q + 1 is prime as well and then randomly choosing a 2, . . . , p 1
until a
2
, 1 (mod p) and a
q
, 1 (mod p). The probability to choose a suitable a in the
second step can be computed by considering the number of primitive elements modulo p.
It holds that
((p)) = (p 1) = (2)(q) = q 1.
So we conclude that
P(Select a primitive element modulo p in the second step) =
q 1
p 2
=
q 1
2q 1

1
2
.
The opponent O can retrieve u = a
x
and v = a
y
by sning information on the channel.
If O is able to compute one of the discrete logarithms log
a
u and log
a
v, the system is
broken (Breaking the DH-procedure is no harder than calculating discrete logarithms).
Remark. Primes p N such that 2p + 1 is also prime are called Sophie-Germain-primes
(SG-primes). It is conjectured that
[p [ p N, p SG-prime[
2C
2
N
log
2
N
with the twin prime constant C
2
0.66. Hence, there are suciently many SG-primes.
Denition 7.6. Let a be a primitive element modulo a prime p. Given a, p, a
x
mod p
and a
y
mod p, the Die-Hellman-Problem (DHP) is, to calculate a
xy
mod p.
An ecient algorithm to solve the DHP would break the DH-key-agreement protocol,
however it is still an open question, whether an ecient algorithm to solve the DHP leads
to an ecient algorithm to compute discrete logarithms.
7.1.1. Intruder-in-the-Middle Attack on the DH-System
An active intruder can mount an attack against the DH-system: Let p = 2q + 1 with p
and q prime. Then a
q
= a
(p1)/2
has order 2, since (a
(p1)/2
)
2
a
p1
1 (mod p) (by
Fermats little theorem). This can be used in an attack as follows:
A computes a
x
, when trying to send this to B, the opponent O intercepts the message
and changes it to a
xq
, so B receives a
xq
. The message a
y
from B to A is changed in the
same way, so A receives a
yq
. Now A and B compute the shared key, which is a
xyq
.
The opponent knows, that for a
xyq
= (a
q
)
xy
there are only two possibilities, namely
56 CHAPTER 7. THE DISCRETE LOGARITHM
a
q
= 1 and a
q
= 1. Hence, Oscar can simply try these two possibilities and then
eavesdrop the communication between A and B.
This example points out the importance of the authenticity of the exponentials a
x
and a
y
,
which is usually ensured by the use of digital signatures in practical applications.
7.2. Shamirs No-Key Protocol
The idea behind Shamirs no-key protocol is often illustrated by the story of a princess
who wants to send a loveletter to a knight. Unfortunately she doesnt trust the summoner,
so she puts the letter in a padlocked box. When the knight obtains the box he adds a
second padlock to the box, then he sends the box back to the princess. She now opens her
padlock and once again sends the summoner with the box to the knight. He is now able
to open his padlock and retrieve the letter.
The mathematical analogon of this story is based on the following proposition:
Proposition 7.7. Let p be prime, a, b Z
p1
Then for all m Z
p
it holds that
m
aba
1
b
1
m (mod p).
Proof. a
1
, b
1
Z
p1
exist by denition satisfying aa
1
1 (mod p 1) and bb
1
1
(mod p 1), i.e., bb
1
= t(p 1) + 1 for some t Z.
Hence, for all m Z
p
it holds that
m
aba
1
b
1
mod p = (m
a
mod p)
. .
=c
bb
1
a
1
mod p
= (c
t(p1)
. .
1
c)
a
1
mod p
= m
aa
1
mod p
= m mod p.
Shamirs no-key protocol is derived from the above proposition as follows:
Initial setup:
Choose and publish a prime p.
Protocol actions:
A and B choose secret random numbers a, b Z
p1
and calculate a
1
, b
1
, resp.
A sends to B: c
1
= m
a
mod p.
B sends to A: c
2
= c
1
b
mod p.
A sends to B: c
3
= c
2
a
1
mod p.
B deciphers: m = c
3
b
1
mod p.
Observe, that this protocol does not include an authentication of the messages, hence, it
oers protection from passive adversaries only.
8. Public-Key Cryptography
The idea behind public-key cryptosystems was published by Die and Hellman in 1976
[DH76]. In 1997 the British government released a paper by James Ellis from 1970 that
already contained this idea [Ell70], but was not published due to nondisclosure interests
of the British secret service. Ellis did not live to see the publication of his idea, he died
one month before his paper was nally published.
The idea of public-key cryptography (also known as asymmetric cryptography) may be
described as follows:
All users use the same encryption function e and decryption function d.
Each user has a pair of keys (K, L) such that d(e(M, K), L) = M for all M /.
K is made public, L is secret (private).
Requirements:
i) The encryption C = e(M, K) must be computationally easy, whereas solving
for M, given C and K should be infeasible.
ii) The decryption M = d(C, L) must be easy.
iii) (K, L) must be easy to generate.
iv) There exist suciently many pairs (K, L), such that exhaustive search is im-
possible.
8.1. The RSA-Cryptosystem
The rst cryptosystem that implemented the above idea was published by Rivest, Shamir
and Adleman in 1978 [RSA78]. Also the idea behind this system was invented earlier, but
not published until 1997 by the British secret service [Coc73].
The protocol actions of this so called RSA-cryptosystem are the following:
i) Choose two large prime numbers p ,= q and compute n = pq and (n) = (p1)(q1).
ii) Choose d Z
(n)
, compute e = d
1
mod (n).
iii) Now the public key is (e, n), the private key is d.
iv) Given a message m 1, . . . , n 1 encryption is given by
c = m
e
mod n.
Decryption is carried out by
b = c
d
mod n.
57
58 CHAPTER 8. PUBLIC-KEY CRYPTOGRAPHY
The proof of correctness of the RSA-cryptosystem, namely the proof, that b = m will be
given in the next two propositions:
Proposition 8.1. Let p ,= q prime, x, y N, then
x y (mod p) and x y (mod q) x y (mod p q).
Proof. p [ x y, q [ x y p q [ x y (since p and q are relatively prime).
Proposition 8.2. (Correctness of RSA) Let p ,= q prime, n = p q.
Let further d, d
1
Z
(n)
and 0 m < n, c = m
e
mod n. Then
m = c
d
mod n.
Proof. From dd
1
1 (mod (n)) it follows that there exists t Z such that dd
1
=
t(n) + 1 = t(p 1)(q 1) + 1. Now we consider two cases:
First case: gcd(m, p) = 1:
(m
d
1
)
d
m
d
1
d
m
t(p1)(q1)
m (m
p1
)
t(q1)
m (mod p)
We now apply Fermats little theorem and get
(m
p1
)
t(q1)
m 1
t(q1)
m m (mod p).
Second case: gcd(m, p) = p:
p [ m, i.e., m 0 (mod p) = m
d
1
d
0 m (mod p)
Analogous arguments hold for (m
d
1
)
d
m (mod q), hence we use Proposition 8.1 to
conclude
(m
d
1
)
d
m (mod p q).
8.1.1. Security of RSA
The chosen-plaintext attack is the most relevant attack against the RSA-cryptosystem,
since anybody can encrypt an arbitrary number of messages using the public key. Hence,
in our considerations we assume, that the public key e = d
1
(mod (n)) and an arbitrary
number of pairs (m, c) is known to the attacking opponent. The following types of attacks
are conceivable to break the RSA-cryptosystem:
1. Factoring of n into p and q allows for the computation of (n) = (p 1)(q 1) and
the computation of d = e
1
(mod (n)) (using the Extended Euclidean Algorithm).
But factoring of RSA-numbers (numbers of the form n = p q for two primes p ,= q)
of an appropriate size (for example log
2
n 2048) is infeasible.
8.1. THE RSA-CRYPTOSYSTEM 59
2. The computation of square roots modulo n allows factoring n. This fact can be
derived from the following proposition:
Proposition 8.3. Let n = pq, p ,= q prime and x a nontrivial solution of x
2
1
(mod n), i.e., x ,= 1 (mod n). Then
gcd(x + 1, n) p, q.
Proof. Exercise.
3. Another possibility of breaking RSA could be, to compute (n), without factoring
n. But any ecient algorithm for computing (n) yields an ecient algorithm for
factoring n, hence computing (n) is no easier than factoring. This can be shown
as follows:
Let n = p q, p, q prime, (n) = (p 1)(q 1). We now derive three equations:
(n) = (p 1)(q 1) = pq p q + 1 p +q = n (n) + 1, (8.1)
(p q)
2
(p +q)
2
= 4pq (p q)
2
= (p +q)
2
4n, (8.2)
q =
1
2
((p +q) (p q)). (8.3)
From equation 8.1 we get (p +q), from equation 8.2 we get (p q) and using these
results together with equation 8.3 we get q.
4. Computing d = e
1
, without knowing (n), could be another attack against the
RSA cryptosystem. The next proposition shows, that also such an attack would
lead to an ecient (probabilistic) factoring algorithm:
Proposition 8.4. Let n = p q, p, q prime. Any ecient algorithm for computing
b
1
mod (n) leads to an ecient probabilistic algorithm for factoring n with error
probability
1
2
.
Proof. See [Sti95].
This algorithm can be repeated until a factorization is found, hence, computing b
1
mod (n) is not (essentially) easier than factoring.
5. So called side-channel attacks have been introduced by Paul Kocher [Koc96]. The
idea is, to investigate physical quantities such as time or power consumption of
concrete implementations of cryptosystems. This information may then be used to
deduce (parts of) the secret key.
A detailed description of side-channel attacks can be found in [WT02, Chapter 6],
an example, how a so called fault-induction attack can be mounted against RSA is
described in Section 9.1.
8.1.2. Implementation of RSA
This section shortly describes, which algorithms can be used, to eciently implement the
RSA-cryptosystem.
Key generation: The two large prime numbers can be found using the Miller-Rabin pri-
mality test.
Choice of d Z
(n)
: One possibility to nd a d Z
(n)
is, to just increment some d
0
until
gcd(d
0
, (n)) = 1. Another possibility is, to choose d prime, d maxp, q.
Computation of e: The inverse e = d
1
mod (n) can be computed using the Extended
Euclidean Algorithm.
En- and decryption: The exponentiation in the en- and decryption procedure can be ef-
ciently implemented using the square-and-multiply algorithm (cf. Algorithm 5).
Hardware: For a table listing RSA-hardware, see [Sch96, Table 19.3].
8.1.3. The RSA Signature Scheme
A method for signing a message stored in electronic form is also called digital signature.
The requirements for such signatures are the same as for conventional signatures, namely
they must be veriable,
they must be forgery-proof,
they must be rmly connected to the document.
Usually a document is rst compressed to a short string, which then is signed (cf. chapter
on Hash functions).
The RSA-cryptosystem can not only be used for asymmetric encryption but also as a
signature scheme. In the description we use the notation (e
A
, n
A
) for As public RSA-key
and analogously d
A
for As private RSA-key (cf. Section 8.1).
Signature Generation Given a message m N, 0 < m < n
A
1, A computes s = m
d
A
mod n
A
, s is then As signature for the message m.
Verication B computes m
= s
e
A
mod n
A
using As public key e
A
. If m
= m, B
accepts the signature.
It follows from Proposition 8.2, that if s is a valid signature for m, then
s
e
A
m
e
A
d
A
m (mod n
A
).
8.2. THE ELGAMAL CRYPTOSYSTEM 61
Security of the RSA Signature Scheme
An opponent Oscar cannot change m to m, and use the signature s for m, as m ,= s
e
A
mod n
A
. He can also not generate valid signatures, since d
A
is private.
On the other hand an opponent can generate a message q with valid signature s, by rst
choosing s and then computing the message q as
q = s
e
A
mod n
A
.
As q
d
A
mod n
A
= s, s is a valid signature for q, but q will be meaningless with very high
probability.
8.2. The ElGamal Cryptosystem
In 1985 Taher ElGamal introduced a public key cryptosystem, whose security is based
on the discrete logarithm problem [ElG85]. This section compendiously presents this
cryptosystem.
Public domain parameters: A large prime number p and a primitive element a modulo p.
Private key: Some random secret x 2, . . . , p 2.
Public key: y = a
x
mod p.
Encryption: Let m 1, . . . , p 1 be the message.
Choose some random secret k 1, . . . , p 1,
compute K = y
k
mod p,
generate the cryptogram C = (C
1
, C
2
) with C
1
= a
k
mod p and C
2
= K m mod p.
Decryption: Compute C
x
1
mod p = K
(it holds that C
x
1
= (a
k
)
x
mod p = (a
x
)
k
mod p = y
k
mod p = K),
recover m = K
1
C
2
mod p.
As in each encryption procedure a session key k is chosen, the same plaintext m can
have dierent ciphertexts. The ElGamal cryptosystem is related to the Die-Hellman
key-exchange protocol, as it may be interpreted as rst agreeing upon the joint key K
and then encrypting m by multiplication by K. The decryption of ElGamal without the
knowledge of the private key x is equivalent to solving the DH problem.
8.3. Generalized ElGamal Encryption
ElGamal encryption works in any cyclic group G. Security is based on the intradictability
of the discrete logarithm problem [ElG85]. The following list contains appropriate groups:
i. Z
p
, p prime (see above)
ii. F
2
m, the multiplicative group of the nite eld F
2
m, m N
iii. Group of points on an elliptic curve (cf. Chapter 13)
iv. F
p
m, the multiplicative group of F
p
m, m N
Generalized ElGamal Cryptosystem
Public domain parameters: Select a cyclic group G of order n, with a primitive element a.
(G is written multiplicatively.)
Private key: Some random secret x 1, . . . , n 1.
Public key: a, description of G, and y = a
x
in G.
Encryption: Let m G be the message.
Choose some random secret k 1, . . . , n 1,
compute K = y
k
in G,
generate the cryptogram C = (C
1
, C
2
) with C
1
= a
k
and C
2
= K m in G.
Decryption: Compute C
1
x
= K (it holds that C
1
x
= a
kx
= y
k
= K),
recover m = C
1
x
C
2
= K
1
C
2
.
Example. G = F
2
4
Elements are polynomials of degree 3 over F
2
and the multiplication is taken modulo
the irreducible polynomial f(u) = u
4
+u+1. The element a
3
u
3
+ a
2
u
2
+ a
1
u+ a
0
F
2
4 is
represented by the binary string (a
3
a
2
a
1
a
0
). G has order 15, a = (0 0 1 0) is a generator,
since a
k
, k = 1, . . . , 15 is
u, u
2
, u
3
, u + 1, u
2
+u, u
3
+u
2
, u
3
+u + 1, u
2
+ 1, u
3
+u,
u
2
+u + 1, u
3
+u
2
+u, u
3
+u
2
+u + 1, u
3
+u
2
+ 1, u
3
+ 1, 1.
A chooses x = 7.
As public key: a = (0 0 1 0), y = a
7
= (1 0 1 1)
Encryption: m = (1 1 0 0) = a
6
B selects k = 11,
computes K = y
11
= a
711
= a
155+2
= a
2
= (0 1 0 0),
C
1
= a
11
= (1 1 1 0), and
C
2
= K m = a
2
a
6
= a
8
= (0 1 0 1).
Decryption: A computes C
1
x
= (0 1 0 0) = a
2
= K,
K
1
= a
13
= (1 1 0 1), and
m = K
1
C
2
= a
13
a
8
= a
6
.
8.4. Public Key Infrastructure
A public key infrastructure (PKI) is a pervasive security infrastructure whose services are
implemented and delivered using public-key concepts and techniques. The most important
components are:
8.4. PUBLIC KEY INFRASTRUCTURE 63
Certicate issuance (trusted/certication authorities),
Certicate revocation (additional infrastructure to recognize revoked certicates),
Key backup/recovery/update (see banking systems/ computer systems),
Time stamping (xed length validity periods).
PKI-enabled services are for example the following:
Secure communication (see PGP, SSL, VPN, . . . ),
Access control (privilege management),
Privacy architecture (anonymous certicates, anonymous web browsing).
Example. Secure Socket Layer (SSL)
We assume that the client Alice (A) wants to purchase something from the server Bob
(B). The protocol proceeds in the following steps:
Protocol actions: In the Hello-phase no cryptographic protocols are needed.
The client A sends Im A, hello to the server B.
The server B sends Im B, hello to the client A.
After the Hello-phase the server B sends his public key PK to A along with a
signature sig
CA
(PK) which has been generated by a trusted certication authority.
Now A veries the signature on PK.
A generates a random master secret MS, encrypts it to y = e
PK
(MS) and sends
the encrypted message y to B.
B decrypts the message to obtain MS: MS = d
PK
(y).
Now both A and B may generate keys (K
1
, K
2
) = h(MS) using a key derivation
function h, e.g., a hash function.
The key K
1
is used to authenticate data by a MAC(K
1
), while the key K
2
is used
for en-/decryption (e.g., by DES, triple-DES, AES or others fast block ciphers).
Note that A may not even have a public key or a certicate. What is needed in e-commerce
for example is not the identity of Alice, but the validity of her credit card number. The
biggest challenge for a public key infrastructure is to guarantee the authenticity of its
users public keys.
Problem: How to accept the identity of a party that you never met?
Conventional face-to-face identication is assured by a trusted third party (friend) who
presents the two parties to each other. Such a presentation protocol is also required
for cryptographic purposes. The presenting party in the cryptographic environment is
called a certication authority (CA). The management of the CAs requires a public key
infrastructure (PKI).
During face-to-face presentation, the presenter gives the relation between the name and
the face of a person, together with some side information (friend, relative, employee, etc.).
For cryptographic use the CA should give the relation between the public key and the
identity of a party. This information should be transmitted authenticated from the CA
to the receiver, e.g., signed under the widely known public key of the CA. The signed
information is called a certicate.
It is not necessary that the receiver communicates directly with the CA. Instead, the CA
can sign all required information of some potential sender. The sender may publish the
signed information widely, or send it to a specic party he wants to communicate with.
A certicate includes
the CA name,
a sequential number of the certicate,
the public key of the user,
the identity of the user,
the issuing date,
the expiration date,
the signature of the CA on all the above.
The CA should maintain a blacklist of canceled certicates, e.g., after the private key of
some user has been discovered and a new key pair has been generated. After the expiration
date entries in the blacklist may be deleted, since the certicates become invalid anyway.
8.4.1. The PGP Hierarchy
In the PGP hierarchy, every user is also a CA, and other users can select which CAs they
trust and which they do not trust. As a CA a user signs certicates to his friends. His
signature ensures that he recognizes the friend, and checked his identity. It does not mean
that the friend is trustworthy. Each user collects as many certicates as he wants to. To
prove his identity, he publishes or sends the collected certicates to other parties.
Receivers can select their own trust scheme:
Trust certicates of certain CAs unconditionally.
Trust some CAs only conditionally (suciently many certicates, additional certi-
cates required).
They can design their own certicate trust scheme in any way.
9. Public Key Cryptography (ctd.)
9.1. A Side-Channel Attack Against RSA
The computationally most expensive step in the decryption process of RSA the expo-
nentiation of c with d modulo n can be accelerated using the Chinese Remainder Theorem
(cf. Section 6.4) as follows:
1. First compute m
1
= c
d
mod p, since c
p1
1 (mod p), this can be reduced to the
computation of m
1
= c
d (mod p1)
mod p.
2. Compute m
2
= c
d
mod q (analogously).
3. Determine m, such that m m
1
mod p and m m
2
mod q.
The solution of this system of equations is given by the Chinese Remainder Theorem
as m = (bqm
1
+apm
2
) mod n, where a and b are computed using the Extended Eu-
clidean Algorithm (cf. Section 6.3) such that ap+bq = 1 and hence a p
1
(mod q)
and b q
1
(mod p).
This method for the computation of c
d
mod n is approximately 4 times faster, than the
direct computation since numbers in the rst two steps are of approximately the half size
and multiplications and squarings are computed in O(n
2
) time. However, if this accelerated
method of computation is used on smart cards, an attack can be mounted that is based on
the induction of hardware faults a so called fault induction attack: The idea is, to use
high temperature, irregular clock frequency or voltage, radiation or magnetism to provoke
hardware errors and thus to procure a false computation in exactly one of the rst two
steps described above. Assume that the error occured in the computation of m
1
.
The values available to the attacker are now
m, the correct decipering with m
1
and m
2
, and
m, the faulty decryption with error in m
1
, say.
With high probability it holds that
m , m
1
(mod p)
m m
2
(mod q)
Hence, m , m (mod p), but m m (mod q). It follows that gcd(m m, n) = q, which
factors n.
65
66 CHAPTER 9. PUBLIC KEY CRYPTOGRAPHY (CTD.)
9.2. The Rabin Cryptosystem
The Rabin Cryptosystem was presented in [Rab79]. In principle it is like the RSA-system
with xed public key e = 2. However, there exists no d Z
(n)
with de 1 (mod (n)),
since gcd((n), 2) = 2 ,= 1.
Deciphering means computing square roots modulo n, but computing square roots is no
easier than factoring (cf. Prop. 8.3). Computing square roots modulo the primes p and q
is easy.
Denition 9.1. c Z
n
is called a quadratic residue modulo n (QR mod n) if there
exists x Z
n
such that x
2
c (mod n). Otherwise c is called a quadratic nonresidue.
Proposition 9.2. (Eulers criterion) Let p > 2 be prime. c Z
p
is a quadratic residue
mod p if and only if c
p1
2
1 (mod p).
Proof. Exercise.
In general, Proposition 9.2 provides no indication how to compute square roots.
Proposition 9.3. Let p be prime, p 3 (mod 4), i.e., p = 4k 1 and let c be a quadratic
residue mod p. Then the equation x
2
c (mod p) has the only solutions x
1,2
= c
k
mod p.
Proof. As k =
p+1
4
we have
x
2
1,2
(c
k
)
2
c
p+1
2
c
p1
2
..
1 (mod p)
c c (mod p).
To see that c
k
mod p are the only solutions, assume x
2
c (mod p) and y
2
c
(mod p), then
x
2
y
2
0 (mod p) = p [ (x +y)(x y)
= p [ (x +y) or p [ (x y) = x y (mod p) or x y (mod p).
Hence, x
1,2
are the only solutions.
Remark. For p 1 (mod 4) there is no known ecient deterministic algorithm to compute
square roots modulo p. However, there is a polynomial-time probabilistic algorithm (cf.
[MvOV96, 3.5])
If the factors p and q of n are known, square roots modulo n can be computed as described
in the following proposition:
Proposition 9.4. Let n = p q, p and q prime.
Use the Extended Euclidean Algorithm to compute s, t Z with
sp +tq = gcd(p, q) = 1.
9.2. THE RABIN CRYPTOSYSTEM 67
Let a = tq, b = sp, further let x, y Z with
x
2
c (mod p),
y
2
c (mod q).
Then f = ax +by is a solution of f
2
c (mod n).
Proof. By denition
a 1 (mod p), b 0 (mod p), (9.1)
a 0 (mod q), b 1 (mod q). (9.2)
Moreover,
(ax +by)
2
a
2
x
2
+ 2abxy +b
2
y
2
_
x
2
c (mod p),
y
2
c (mod q).
Hence, by Proposition 8.1 (ax +by)
2
c (mod n).
The proof is also immediate from the Chinese Remainder Theorem (cf. 6.4).
In summary, if there are two square roots x
1,2
and y
1,2
modulo p and q respectively, then
there are at most 4 roots of f
2
c (mod n).
The Rabin Cryptosystem Now we have all the primitives to describe the Rabin Crypto-
system as follows:
1. Select p ,= q prime, p, q 3 (mod 4) and let n = p q.
2. The public key is now n, the private key the factors (p, q) of n.
3. A message m 1, . . . , n 1 is encrypted via
c = m
2
mod n.
4. Decryption of a cryptogram c means computing the square roots modulo n using
Propositions 9.3 and 9.4.
Regard that m

n, otherwise a solution is obtained by computing square roots in the
real domain.
Remark 9.5. There are 4 solutions when deciphering, the right one must be identied from
the context. To avoid this, repeat, e.g., the last 64 bits of each message. Be alarmed if
none of the solutions has repeated last bits in this case.
Remark 9.6. (Security of the Rabin Cryptosystem)
1. From Proposition 8.3: Breaking the Rabin cryptosystem is equivalent to factoring.
2. The Rabin cryptosystem is vulnerable to chosen-ciphertext attacks:
Oscar chooses m at random, computes c = m
2
mod n.
c is deciphered with plaintext m
.
With probability
1
2
is m
, m. In this case compute gcd(m m
, n) p, q
(cf. Prop. 6.8). Otherwise repeat the steps given above.
Hence, never publish a deciphered message, which is not the right one (cf. Re-
mark 9.5).
3. Broadcast endangers the Rabin cryptosystem: Assume that the same message m
is sent to K receivers encrypted with public keys n
1
, . . . , n
K
. Very likely all prime
factors of these public keys are dierent and an attacker eavesdrops from the channel
c
1
= m
2
mod n
1
,
.
.
.
c
K
= m
2
mod n
K
.
Now the attacker solves the system of equations
x c
1
(mod n
1
),
.
.
.
x c
K
(mod n
K
).
The Chinese Remainder Theorem yields a solution
x m
2
(mod n
1
. . . n
K
).
Since m < n
i
for all i = 1, . . . , K, it follows that m
2
< n
1
. . . n
K
. Hence x = m
2
can
be computed by square root computation in R. This type of attack also works for
RSA with small encryption exponent e = d
1
.
9.3. Flipping Coins over the Telephone
Alice and Bob want to decide over the telephone who gets a device oered by a friend.
Alice ips a coin, Bob chooses Tails. Alice says Sorry, it was Heads, I win. There are
multiple opportunities for cheating. Hence, a secure and fair protocol is sought:
Coin ipping protocol
A chooses large primes p ,= q, p, q 3 (mod 4) at random and computes n = p q,
sends n to B.
B chooses randomly x Z
n
and computes y = x
2
mod n, sends y to A.
A computes 4 square roots a, b (cf. Prop. 9.4), selects randomly a or b (this
corrensponds to ipping a coin), e.g., b and sends b to B.
If b x then B is not able to factor n and A wins, if b , x, then B factors n by
gcd(x b, n) and B wins.
9.4. PROBABILISTIC PUBLIC-KEY ENCRYPTION 69
Security of the Coin Flipping Protocol
1. If B sends a random number, not a square, A cannot nd a root and stops the
protocol, as B is obviously cheating. If B sends a random number which is a square,
then A nds a root, but B cannot factor n and hence, A wins.
2. If A sends a random number z, which is not a root of y, B cannot factor n, but he
can check, whether z
2
y (mod n), if not, A is cheating and B stops the protocol.
3. If A chooses n a product of more than 2 primes, there are more than 4 square roots
modulo n (in the case of n being a product of 3 primes, there are for example 8
square roots), hence A deteriorates her chances.
4. If B wants to loose the game on purpose, he can do so.
9.4. Probabilistic Public-Key Encryption
Deterministic public key schemes have some drawbacks:
RSA and Rabin are deterministic, a particular plaintext m is always encrypted to
the same ciphertext. It is easy to detect, if the same message is sent twice.
It is sometimes easy to compute partial information. For example, in RSA c = m
e
mod n. It holds
_
c
n
_
=
_
m
e
n
_
=
_
m
n
_
e
=
_
m
n
_
,
since e is odd (otherwise, e / Z
(n)
).
To avoid such information leakage, probabilistic public key encryption schemes are uti-
lized. This chapter rst gives some number theoretic background and then presents two
probabilistic public key schemes.
Proposition 9.7. Let n = p q, p ,= q prime. Then a is a quadratic residue modulo n if
and only if a is quadratic residue modulo p and a is quadratic residue modulo q.
Proof.
: If there exists x Z
n
such that x
2
a (mod n), then by Proposition 8.1 it follows
that x
2
a (mod p) and x
2
a (mod q).
: If there exists x Z
p
such that x
2
a (mod p) and y Z
q
with y
2
a (mod q),
then by Proposition 9.4 there exists f Z
n
with f
2
a (mod n).
Denition 9.8. Let p > 2 be prime and a N. The Legendre symbol is dened as
_
a
p
_
=
_
_
0, if a 0 (mod p),
1, if a is a quadratic residue mod p,
1, otherwise.
Let n =
i
p
k
i
i
be the prime factorization of n. The Jacobi symbol is dened as
_
a
n
_
=
i
_
a
p
i
_
k
i
.
Remark 9.9. 1. For any odd n > 2 it holds that
_
ab
n
_
=
_
a
n
_
_
b
n
_
.
2. Algorithm 6 can be used to compute
_
a
n
_
with running time O((ln n)
2
) (cf. [MvOV96,
Alg. 2.149]).
Algorithm 6 Computing the Jacobi (and Legendre) symbol
Input: An odd integer n > 2 and an integer a, 0 a < n.
Output: The Jacobi symbol
_
a
n
_
(and hence the Legendre symbol, when n is prime)
procedure JACOBI(a, n)
if (a = 0) then
return 0
end if
if (a = 1) then
return 1
end if
Write a = 2
e
a
1
, where a
1
is odd
if (e is even or n 1 (mod 8) or n 7 (mod 8)) then
s 1
else
s 1
end if
if (n 3 (mod 4) and a
1
3 (mod 4)) then
s s
end if
n
1
n mod a
1
if (a
1
= 1) then
return s
end if
return sJACOBI(n
1
, a
1
)
end procedure
Unlike the Legendre symbol, the Jacobi symbol does not reveal whether a is a quadratic
residue modulo n. It holds that
a is a quadratic residue mod n
_
a
n
_
= 1,
however, the reverse is not true in general.
Proposition 9.10. Let n = pq, p ,= q prime, a Z
n
with
_
a
n
_
= 1. Then
a is quadratic residue mod n
_
a
p
_
= 1.
Proof.
: a quadratic residue modulo n = a is quadratic residue modulo p and

modulo q =
_
a
p
_
= 1 (and also
_
a
q
_
= 1).
:
_
a
p
_
= 1 = a quadratic residue modulo p. Suppose a not a quadratic residue
modulo q, then
_
a
n
_
=
_
a
p
__
a
q
_
,= 1, a contradiction.
The subsequent probabilistic public key cryptosystems (Goldwasser-Micali and Blum-
Goldwasser) rely on the intractability of the so called quadratic residuosity problem.
Before actually introducing these two systems, we rst collect some information about the
tractability of deciding whether a given a Z
n
is a quadratic residue modulo n.
Let a Z
n
with
_
a
n
_
= 1 (recall, that
_
a
n
_
,= 1 = a is a quadratic nonresidue). We
distinguish the following related problems:
QRP(a, n): Decide, whether a is a quadratic residue modulo n.
QRSP(a, n): Decide, if a is a quadratic residue modulo n and compute the square roots,
i.e., all x Z
n
with x
2
a (mod n).
FAC(n): Factor n.
Concerning these problems, the following relations hold: Solving the QRSP is equivalent
to solving FAC (cf. Propositions 6.8 and 8.3) and obviously QRP is no harder to solve
than QRSP. Then of course also solving QRP is no harder than solving FAC, if the
factorization of n = p q is known, QRP can easily be solved using Proposition 9.10.
Remark 9.11.
There is no ecient algorithm known for solving QRP.
The common belief is that QRP is no easier than factoring.
9.4.1. The Goldwasser-Micali Cryptosystem
In 1984 Goldwasser and Micali presented a probabilistic public key cryptosystem, whose
security ist based on the QRP [GM84]. The primitives of the system are the following:
Key Generation: Choose large primes p ,= q, compute n = p q.
Choose y Z
n
with y a quadratic nonresidue modulo n and
_
y
n
_
= 1
(Such y is called pseudo square).
Public key: (n, y), private key: (p, q).
Encryption with public key (n, y): Given a message m = (m
1
, . . . , m
t
) 0, 1
t
, choose
stochastically independent random numbers x
1
, . . . , x
t
Z
n
. Now let
c
i
=
_
yx
2
i
mod n, if m
i
= 1
x
2
i
mod n, otherwise
, i = 1, . . . , t.
The ciphertext is c = (c
1
, . . . , c
t
).
Decryption with private key (p, q): Let
m
i
=
_
0, if
_
c
i
p
_
= 1
1, otherwise
, i = 1, . . . , t.
The message is m = (m
1
, . . . , m
t
).
Proposition 9.12. The decryption procedure of the Goldwasser-Micali cryptosystem is
correct.
Proof. (i) m
i
= 0 = c
i
= x
2
i
mod n, i.e., c
i
is quadratic residue modulo n = c
i
is
quadratic residue modulo p =
_
c
i
p
_
= 1
(ii) m
i
= 1 = c
i
= yx
2
i
mod n
c
i
is a pseudo square modulo n since
_
c
i
n
_
=
_
y
n
_
_
x
2
i
n
_
=
_
x
2
i
p
__
x
2
i
q
_
= 1. (as
_
y
n
_
= 1)
Suppose there exists v with v
2
yx
2
i
(mod n)
= y v
2
(x
2
i
)
1
v
2
(x
1
i
)
2
(mod n)
= y is a quadratic residue modulo n, a contradiction.
Hence, c
i
is a quadratic nonresidue modulo n and
_
c
i
n
_
= 1 =
_
c
i
p
_
,= 1.
Determining Pseudo-Squares
Proposition 9.13. Let p > 3 be prime and g a primitive element modulo p. Then
a is a quadratic residue mod p a = g
i
mod p for some even integer i.
Proof. Exercise.
Hence, half of the elements in Z
p
are quadratic residues and the other half are quadratic
nonresidues modulo p. An ecient algorithm for nding pseudo-squares modulo n = pq
is given in algorithm 7.
Algorithm 7 Finding pseudo-squares modulo n = pq
1. Choose a Z
p
, a quadratic nonresidue modulo p (Choose a Z
p
at random and
check, whether
_
a
p
_
= 1).
2. Choose b Z
q
, b quadratic nonresidue modulo q (Choose b Z
q
at random and
check, whether
_
b
q
_
= 1).
The success probability is
1
2
in each trial.
3. Compute y 0, . . . , n 1 with
y a (mod p) and y b (mod q).
It follows that y is a quadratic nonresidue modulo p and hence also modulo n and
_
y
n
_
=
_
y
p
__
y
q
_
= (1)(1) = 1
Hence, y is a pseudo-square modulo n.
Security of the Goldwasser-Micali Cryptoystem
An opponent intercepts
c
i
=
_
yx
2
i
mod n, if m
i
= 1
x
2
i
mod n, if m
i
= 0
, i = 1, . . . , t,
hence, a random quadratic residue or pseudosquare modulo n. To decide, whether m
i
= 1
or m
i
= 0, Oscar has to solve
QRP(c
i
, n). If QRP is computationally infeasible, then
Oscar can do no better than guess m
i
, see remark 9.11.
Remark 9.14. A major drawback of the Goldwasser-Micali cryptosystem is the message
expansion by a factor of log
2
n bits. To assure security presently an about 1024 bits n is
needed, which means an expansion by a factor of 1024.
9.4.2. The Blum-Goldwasser Cryptosystem
Also in 1984, Manuel Blum and Sha Goldwasser presented another probabilistic public-
key cryptosystem [BG84]. This section describes the primitives of this system.
Key generation:
(i) Choose two large primes p ,= q, p, q 3 (mod 4) and compute n = pq.
(ii) Compute a, b Z with ap +bq = 1 (Extended Euclidean Algorithm).
(iii) Public key: n, private key: (p, q, a, b).
Encryption with public key n:
Let h = log
2
log
2
n||. Consider a message m = (m
1
, . . . , m
t
) 0, 1
ht
, each m
i
is a binary block of length h. Now generate a sequence of h t pseudorandom bits
(b
1
, . . . , b
t
) 0, 1
ht
using the Blum-Blum-Shub generator, (cf. Algorithm 8) and
compute
c
i
= m
i
b
i
, i = 1, . . . , t.
The ciphertext is now (c
1
, . . . , c
t
, x
t+1
), where x
t+1
is the last quadratic residue
computed by the Blum-Blum-Shub generator.
Decryption with private key (p, q, a, b):
From the knowledge of x
t+1
and the private key, compute the initial value of the
Blum-Blum-Shub generator x
0
as follows:
Let d
1
=
_
p+1
4
_
t+1
mod (p 1) and d
2
=
_
q+1
4
_
t+1
mod (q 1).
Let u = x
d
1
t+1
mod p and v = x
d
2
t+1
mod q. Then x
0
= (vap + ubq) mod n. Now
iterate as in the Blum-Blum-Shub generator x
i
= x
2
i1
mod n for i = 1, . . . , t, let b
i
denote the last h bits of x
i
and compute
m
i
= c
i
b
i
, i = 1, . . . , t.
This yields the message (m
1
, . . . , m
t
).
Algorithm 8 The Blum-Blum-Shub generator
Select a random quadratic residue modulo n: x
0
. (Select randomly s Z
n
and
compute x
0
= s
2
).
Iterate: x
i
= x
2
i1
mod n, i = 1, . . . , t + 1.
Let b
i
denote the last h bits of x
i
, where h = log
2
log
2
n||.
Return the sequence b
1
, . . . , b
t
of h t pseudorandom bits.
Proposition 9.15. The decryption of the Blum-Goldwasser system is correct.
Proof. The only point remaining is to show, that x
0
is computed correctly. For all i =
0, . . . , t + 1:
x
i
is quadratic residue mod n = x
i
is quadratic residue mod p
= x
p1
2
i
1 (mod p).
Hence,
(x
i+1
)
p+1
4
(x
2
i
)
p+1
4
x
p+1
2
i
x
p1
2
i
x
i
x
i
(mod p).
By induction it follows
u (x
t+1
)
d
1
(x
t+1
)
(
p+1
4
)
t+1
_
(x
t+1
)
(
p+1
4
)
_
(
p+1
4
)
t
x
(
p+1
4
)
t
t
. . . x
p+1
4
1
x
0
(mod p).
Analogously we prove, that v (x
t+1
)
d
2
(mod q), furthermore it holds that
vap
..
0
+u bq
..
1
x
0
(mod p) and vap+ubq x
0
(mod q) and hence vab+ubq x
0
(mod n).
An example of how the Blum-Goldwasser system works can be found in [MvOV96, ex. 8.57].
Security of the Blum-Goldwasser Cryptosystem
a) An eavesdropper sees the quadratic residue x
t+1
. To determine x
t
means to solve
QRSP(x
t+1
, n) which is considered computationally infeasible.
b) Investigating security by probabilistic methods, see [Sti95] and [MvOV96, note 8.58],
particularly for the Blum-Blum-Shub generator.
c) The Blum-Goldwassser system is vulnerable to chosen-ciphertext attacks, if the de-
cryption device leaks the value x
0
:
An opponent selects randomly m Z
n
and computes x
t+1
= m
2
mod n. In the
decipherment, a value x
0
is computed from x
t+1
. Now Oscar computes x
t
= (x
0
)
2
t
mod n. There are 4 solutions of x
t+1
y
2
(mod n).
If x
t
, m then gcd(x
t
m, n) p, q.
Otherwise the attacker selects a new random number m. This attack is analogous
to the one against the Rabin cryptosystem.
Eciency of the Blum-Goldwasser Cryptosystem
a) The message expansion is constant by ,log
2
n| bits, the representation of x
t+1
in c.
b) The computational eord is comparable to RSA, both in the encryption and in the
decryption step, for details see [MvOV96, note 8.59].
10. Cryptographic Hash Functions
A hash function is a computationally ecient function mapping a message of arbitrary
length to a message digest of xed length, typically n = 128, 160 or 256 bits.
In cryptography these hash functions are used in several applications including the follow-
ing:
In signature schemes the signature is applied to the short hash of the message, rather
than to the long message itself.
To assure data integrity, to protect software and to protect against viruses, modica-
tion of data can be detected by a changed hash. (MDC modication/manipulation
detection code, MAC message authentication code).
Hash functions are typically publicly known and involve no secret keys. The formal de-
scription of hash functions is as follows:
/: message space (e.g., / =
l=0
0, 1
l
= 0, 1
),
}: nite set of possible hash values (digest, hash digest, authentication tag)
(e.g., } = 0, 1
128
),
/: a nite set of keys (key space),
h: hash function h : // } : (m, k) h(m, k).
A hash function h is called unkeyed (schl ussellos), if [/[ = 1 or h : / }. The pair
(m, h(m)) is called a valid pair.
10.1. Security of Hash Functions
In the following only unkeyed hash functions will be regarded.
The basic requirements for a cryptographic hash function
1. Given m /, h(m) is easy to compute.
2. Given y }, it is infeasible to nd m /, such that h(m) = y. If this property
holds, we call a hash function preimage resistant (urbildresistent, Einwegfunktion).
3. Given m /, it is infeasible to nd m
,= m, such that h(m) = h(m
). In this case,
h is called second preimage resistant (schwach kollisionsresistent).
77
78 CHAPTER 10. CRYPTOGRAPHIC HASH FUNCTIONS
4. It is infeasible to nd m ,= m
/ with h(m) = h(m
). In this case, we call h

(strongly) collision free (stark kollisionsresistent).
Example 10.1. a) h(m) = m mod n for some n N. This function is eciently
computable, but neither preimage resistant (select m = y), nor second preimage
resistant nor collision free (select m m
(mod n)).
b) h(m) = m
2
1 mod p for some prime p. This is not preimage resistant as computing
square roots modulo p is easy.
c) h(m) = m
2
mod n, where n = pq for two distinct primes p and q. This hash
function is preimage resistant, as QRSP(a, n) is equivalent to FAC(n). But this
function is neither second preimage resistant nor collision free (select m
= m).
Example 10.2. (The discrete logarithm hash function)
Select q prime, such that p = 2q + 1 is also prime (cf. Prop. 7.5). Now choose two
primitive elements a, b modulo p.
Let m = x
0
+x
1
q, 0 x
0
, x
1
q 1.
Dene a hash function h as
h(m) = a
x
0
b
x
1
mod p.
The hash function h maps integers of size q
2
to integers of size p, that have approximately
half as many bits. Further the computation of h(m) is much too slow for practical ap-
plications. On the other hand this hash function is an example of a collision free hash
function.
Proof. We show that when m ,= m
with h(m) = h(m
) are known, the discrete logarithm

k = log
a
b (mod p) can be determined. Note that there exists k 1, . . . , p 1 such that
a
k
b (mod p), since a is a primitive element modulo p.
Write m = x
0
+x
1
q and m
= x
0
+x
1
q.
Assume a
x
0
b
x
1
a
x
0
b
x
1
(mod p).
Rewrite a
x
0
a
kx
1
a
x
0
a
kx
1
(mod p) (10.1)
a
k(x
1
x
1
)(x
0
x
0
)
1 (mod p) (10.2)
Since a is a primitive element modulo p:
k(x
1
x
1
) (x
0
x
0
) 0 (mod p 1) (10.3)
k(x
1
x
1
) x
0
x
0
(mod p 1) (10.4)
It holds that x
1
x
1
, 0 (mod p 1), otherwise m = m
would follow. Now k can be

eciently computed (cf. exercise).
If the output of a hash function consists of n bits, then the probability of guessing a
document with a given hash is approximately 2
n
, a usually small number. However the
probability of constructing a collision is much higher. This is due to the so called
birthday
paradox.
10.1. SECURITY OF HASH FUNCTIONS 79
Proposition 10.3. k objects are randomly put into n bins. Let p
k,n
denote the probability
that no bin contains two or more objects (there is no collision). Then
p
k,n
=
n(n 1)(n 2) . . . (n k + 1)
n
k
exp
_
k(k 1)
2n
_
.
Proof.
p
k,n
=
number of collision free assignments
number of all possible assignments
=
n(n 1)(n 2) . . . (n k + 1)
n
k
= 1
_
1
1
n
_
. . .
_
1
k 1
n
_
= exp
_
k1
i=0
ln(1
i
n
)
_
exp
_
k1
i=0
i
n
_
= exp
_
k(k 1)
2n
_
.
In the proof we use, that ln x x 1 for x 0 ln(1 x) x for x 1.
The name
birthday paradox comes from the following famous example: Let n = 365
(days) and k = 23 (people). Assume that birthdays are uniformly distributed. Then it
holds, that the probability, that at least two people have birthday on the same day is
bigger than
1
2
, since
p
23,365
exp
_
23 22
2 365
_
0.499998.
In general it holds that p
k,n

1
2
if k
2nln 2 + 1 1.17
n + 1, since
k 1
2nln 2 =
(k 1)
2
2n
ln 2
= p
k,n
exp
_
k(k 1)
2n
_
exp
_
(k 1)
2
2n
_
1
2
.
Applying this result to hash functions we conclude, that by generating 1.17
n hash values
for distinct messages, the probability of a collision is larger than
1
2
. To avoid such kind of
a brute force attack, length of hash values is usually chosen larger than 128 bits.
Proposition 10.4. (Generalized birthday paradox) k red and k blue balls are randomly
put into n bins. If k
n, then the probability that at least one bin contains a red and
a blue ball is approximately 1 e
.
Proof. For a proof and a detailed examination of possible applications in cryptography
see [GCC88].
From the generalized birthday paradox an attack against hash functions with
short hash
values can be derived, which has impact on real world applications. In most signature
schemes, only a hash value of the message is digitally signed, hence by producing two
distinct messages with the same hash values, a valid signature for one of the messages can
eventually be used for the other message. Consider for example a hash function with hash
length 64 bits.
An attacker Oscar generates slight variations at 35 places in the original document m:
Example: The bank A
_
will
promises to
_
give
let
Oscar an amount of 100
_
US
American
dollars
_
before
until
May 2007 for
_
use
investment
. . .
He now does the same with a fraudulent document m
:
Example: The bank A
_
will
promises to
_
give
let
Oscar an amount of 20 mill.
_
US
American
dollars
_
before
until
May 2007 as
_
present
donation
which
_
will
shall
. . . not be returned . . .
He now computes all 2
35
hash values for the rst group of documents and also all 2
35
hash
values for the second group. The probability of having a collision between both groups
of hashes is computed using Proposition 10.4 with n = 2
64
and k = 2
35
, which leads to
= 2
6
= 64. Hence, the probability of a collision is 1 e
64
1.
To see that this attack is indeed practical, consider the amount of hash values to be
computed for this attack. We need 2 2
35
hash values of length 64 bits, which corresponds
to 550 GB. Finding a collision between the groups can be done in complexity O(nlog n)
by rst sorting one of the groups and then comparing each value in the other group with
the sorted group.
10.2. Construction of Hash Functions
The construction scheme of most of the currently used hash functions can be graphically
described as follows:
Examples for this type of hash functions are
MD5 (Rivest, 1992, hash length: 128 bits),
SHA-1 (successor of SHA (Secure Hash Algorithm), NIST, 1993, hash length: 160
bits),
SHA-256, SHA-384, SHA-512 (NIST, 2001, hash lengths of 256, 384 and 512 bits),
FIPS 180-2 is a standard from August 2002 which contains the SHA-family.
10.2.1. Description of SHA-1
a) The SHA-1 algorithm uses several operations on 32 bit words:
A B, A B, AB: Bitwise and, or and xor,
A: bitwise complement,
A+B: addition modulo 2
32
,
ROTL
S
(A): cyclic leftshift by 0 S 31 positions.
10.3. MESSAGE AUTHENTICATION 81
b) Padding of the message m is due to a somewhat more advanced scheme known as
SHA-1-PAD(m):
A pseudocode description of SHA-1-PAD(m) is given in Algorithm 9,
Algorithm 9 Padding algorithm used for SHA-1: SHA-1-PAD(m)
Input: Input message m of length [m[ 2
64
1
Output: Message m padded to a length divisible by 512
d (447 [m[) mod 512
l the binary representation of [m[, where [l[ = 64 (eventually used leading zeros)
m
m | 1 | 0
d
| l
return m
where | denotes concatenation.

c) Functions and constants used in SHA-1 are given as
f
i
(B, C, D) =
_
_
(B C) (B D), for 0 i 19,
B C D, for 20 i 39, 60 i 79,
(B C) (B D) (C D), for 40 i 59.
K
i
=
_
_
5A827999, for 0 i 19,
6ED9EBA1, for 20 i 39,
8F1BBCDC, for 40 i 59,
CA62C1D6, for 60 i 79.
d) Now the complete SHA-1 algorithm can be described in pseudocode as given in
Algorithm 10.
Recent results in the cryptanalysis of hash functions point to severe problems. Recom-
mendations of the NIST from 2005 include
not to use MD4 and MD5 anymore, and
to nd alternatives to SHA-1 until 2010 and not to use SHA-1 anymore from then.
Collisions have been generated for all of the hash functions that are currently in use;
Shamir suggested a completely new design process like for AES.
10.3. Message Authentication
We aim at protecting messages against modication. The idea is, to compress a given
message using an algorithm that involves a secret key and to concatenate the message
with this
digital ngerprint (message authentication code - MAC).

Algorithm 10 The SHA-1 hash function
Input: A message m
Output: Hash value for m of length 160 bits
m
SHA-1-PAD(m)
Let m
= M
1
| M
2
| | M
n
, each M
i
a 512-bit block
H
0
67452301
H
1
EFCDAB89
H
2
98BADCFE
H
3
10325476
H
4
C3D2E1F0
for (i 1; i n; i
++
) do
Let M
i
= W
0
| W
1
| | W
15
, each W
j
a 32 bit word
for (t 16; t 79; t
++
) do
W
t
ROTL
1
(W
t3
W
t8
W
t14
W
t16
)
end for
A H
0
B H
1
C H
2
D H
3
E H
4
for (t 0; t 79; t
++
) do
temp ROTL
5
(A) +f
t
(B, C, D) +E +W
t
+K
t
E D
D C
C ROTL
30
(B)
B A
A temp
end for
H
0
H
0
+A
H
1
H
1
+B
H
2
H
2
+C
H
3
H
3
+D
H
4
H
4
+E
end for
return H
0
| H
1
| H
2
| H
3
| H
4
10.3. MESSAGE AUTHENTICATION 83
Example 10.5. (MAC by CBC-mode)
Use a fast block cipher like AES in CBC-Mode with some initial value C
0
and a key K.
Now compute successively
C
i
= AES
K
(C
i1
M
i
), i = 1, . . . , n.
Then use the last value C
n
as message authentication code.
10.3.1. A General Construction Principle for MACs
Given an unkeyed hash function h and some key K, compute for example
MAC
K
(m) = h(K | p | m) or
MAC
K
(m) = h(K | p | m | K),
where p are paddings bits and | stands for simple concatenation.
A somewhat more sophisticated way to construct MACs from unkeyed hash functions is
the so called HMAC-standard (Keyed-Hash Message authentication code, FIPS PUB 198).
The HMAC-algorithm, as described in the standard [Pro] is given as
HMAC
K
(m) = h((K
0
opad) | h((K
0
ipad) | m)).
In the description the following notation is used:
K
0
: Preprocessed key, to obtain a B byte key from K (for details see [Pro]),
ipad: The inner pad, the byte 0x36 repeated B times,
opad: The outer pad, the byte 0x5C repeated B times.
HMAC-MD5 is a standard MAC in the Internet and also HMAC-SHA1 is widely used.
11. Signature Schemes
A method for signing a message stored in electronic form is also called digital signature.
The requirements for such signatures are the same as for conventional signatures, namely
they must be veriable,
they must be forgery-proof, and
they must be rmly connected to the document.
For certain applications a repeated use of copies must be avoided, such applications make
use of so called time stamps.
Possible attacks against digital signatures are grouped into the following classes of attacks:
Key only attack: The opponent knows the public key only.
Known message attack: Oscar has signatures for a set of messages which are known, but
not chosen by him.
Chosen message attack: Oscar obtains signatures for a set of chosen messages.
a) Non-adaptive: Messages are chosen, before any signature is seen.
b) Adaptive: Message may depend on previous signatures.
Attacks against digital signature schemes can aim at and may result in
the total break of the system, meaning, that the opponent can sign any message,
selective forgery, which means, that only a particular class of messages can be signed,
or existential forgery, where Oscar can forge a signature for at least one message.
11.1. The ElGamal Signature Scheme
Also the asymmetric ElGamal cryptosystem leads to a signature scheme. The generation
of public and private keys is just like in Section 8.2, hence for each user we have a private
key x Z
p
and a public key y = a
x
mod p, where a is a primitive element modulo some
publicly known prime p.
The generation and verication of the signature of a message m is described in Algorithms
11 and 12, respectively.
85
86 CHAPTER 11. SIGNATURE SCHEMES
Algorithm 11 ElGamal signature generation
Input: A message m, an ElGamal private key x 2, . . . , p 2
Output: A signature (r, s) for m
Select a random secret k 1, . . . , p 2 with gcd(k, p 1) = 1
r a
k
mod p
Compute k
1
mod (p 1)
s (k
1
(h(m) xr)) mod (p 1)
return (r, s)
Algorithm 12 ElGamal signature verication
Input: An ElGamal signature (r, s), the corresponding message m and the corresponding
ElGamal public key y Z
p
.
Output: True, if the signature is valid, False otherwise
Verify that 1 r p 1
v
1
y
r
r
s
mod p
v
2
a
h(m)
mod p
if (v
1
= v
2
) then
return True
else
return False
end if
As the values k
1
, r and xr can be computed in advance, only one multiplication is needed
online for signature generation. The verifcation procedure indeed works, as
ks = mxr mod (p 1) m xr +ks mod (p 1)
xr +ks = l(p 1) +m for some l N.
Hence,
y
r
r
s
a
xr
a
ks
a
xr+ks
a
l(p1)
a
m
(a
p1
)
l
a
m
a
m
(mod p).
11.1.1. Security of the ElGamal Signature Scheme
There are mainly two issues concerning the security of the ElGamal signature scheme:
1. The session key k must be dierent in each signature generation. Otherwise the
private key x can be reconstructed from two messages as follows:
Let s
1
= k
1
(m
1
xr) mod (p 1) and s
2
= k
1
(m
2
xr) mod (p 1) be two
signature values computed with the same k, then
(s
1
s
2
)k (m
1
m
2
) mod (p 1)
= k (s
1
s
2
)
1
(m
1
m
2
) mod (p 1), provided s
1
s
2
invertible modulo p 1.
Once k is known, the private key x can be computed (cf. Algorithm 11).
11.2. THE DIGITAL SIGNATURE ALGORITHM (DSA) 87
2. An opponent can forge a signature as follows: Select a pair (u, v) ZZ, such that
gcd(v, p 1) = 1. Then compute
r = a
u
y
v
= a
u+xv
mod p
s = rv
1
mod (p 1).
Then (r, s) is a valid signature for the message m = su mod (p 1). This can be
shown as follows:
v
1
= y
r
r
s
= a
xr
a
(u+xv)(rv
1
)
mod p
= a
xrurv
1
xr(l(p1)+1)
mod p
= a
urv
1
a
l
(p1)
mod p
= a
urv
1
mod p
v
2
= a
m
mod p = a
su
mod p
= a
urv
1
mod p.
This attack can be avoided by using a cryptographic hash function h. Then h(m) is
signed instead of m, this is a common procedure in signature schemes.
11.2. The Digital Signature Algorithm (DSA)
One important application of cryptographic hash functions is the use in digital signature
schemes. One widely used signature algorithm is DSA, which also involves a cryptographic
hash function, the standard prescribes SHA-1.
The DSA has been proposed by the NIST in August 1991 and has been standardized as
FIPS 186, named DSS (Digital Signature Standard). The development was carried out by
the NSA (not publicly). The DSA is a variant of the ElGamal signature scheme (cf. 11.1).
System parameters of DSA Each user generates a public and a private key as follows:
1. Choose a prime q with 2
159
< q < 2
160
2. Choose t N, 0 t 8, further a prime p such that 2
511+64t
< p < 2
512+64t
and
q [ (p 1) (NIST recommended in October 2001 only to choose t = 8).
3. Select g Z
p
and compute a = g
p1
q
mod p until a ,= 1. Then a is a generator of
the cyclic subgroup of order q in Z
p
.
4. Choose some random x 2, . . . , p 1.
5. Compute y = a
x
mod p.
6. Public key: (p, q, a, y), private key: x.
88 CHAPTER 11. SIGNATURE SCHEMES
Signing a message m 0, 1
1. Choose a random k 2, . . . , q 2.
2. Compute r = (a
k
mod p) mod q.
3. Compute k
1
mod q.
4. Compute s = k
1
(h(m) +xr) mod q.
5. The signature is now (r, s), it has 320 bits in total.
Verication of a signature (r, s) on a message m
1. Check if 0 < r < q and 0 < s < q, otherwise decline.
2. Compute w = s
1
mod q and h(m).
3. Compute u
1
= wh(m) mod q and u
2
= rw mod q.
4. Compute v = (a
u
1
y
u
2
mod p) mod q.
5. Accept the signature if v = r.
The signature verication is correct, as for a valid signature it holds that
h(m) = ks xr (mod q).
Hence,
u
1
+xu
2
wh(m) +xrw wks wxr +xrw k (mod q) and
v = (a
u
1
a
xu
2
mod p) mod q
= (a
u
1
+xu
2
mod p) mod q
= (a
k
mod p) mod q = r.
Security of the DSA
Security relies on two DL-problems, on the one hand in Z
p
and on the other hand
in the subgroup a of order q of Z
p
.
Security principles of the ElGamal-cryptosystem carry over, hence
always use a new k,
the use of a hash function is mandatory and
always verify, that 0 < r < q and 0 < s < q in the verication procedure.
11.2. THE DIGITAL SIGNATURE ALGORITHM (DSA) 89
Some remarks concerning eciency
The modular exponentiations are carried out with an exponent in the range of q
(160) bits, rather than 1024 with ElGamal.
The values k, k
1
, r, xr may be computed in advance.
Verication needs 2 instead of 3 modular exponentiations as with ElGamal.
Signature by DSA is relatively short, 320 bits instead of 21024 bits with ElGamal.
In the verication step, also check, if r ,= 0 and s ,= 0, otherwise the signature is
rejected.
12. Identication and Entity Authentication
This chapter considers techniques to allow the
verier B to establish the identity of the
claimant A, thereby preventing impersonation.

Requirements on Authentication Protocols
A is able to uniquely identify herself to B.
B cannot reuse an identication exchange with A so as to impersonate A to a third
party C. (transferability)
It is practically infeasible that a third party C can cause B to wrongly accept the
identity of A. (impersonation)
Even if C observes the identication process between A and B very often, he cannot
impersonate A.
Categories of Identication
Something known: The claimant A shows that she knows a secret, for example a
password, PIN or private key.
Something possessed: Methods in this category rely on the fact that A possesses an
item like a magnetic stripe card, smart card, PIN or a password generator.
Something inherent: The identication in this category makes use of a property
inherent to a human individual. Examples are human physical characteristics, face
recognition, a ngerprint, the retinal pattern or handwritten signatures.
12.1. Passwords
12.1.1. Fixed Password Schemes
Rather than storing a plaintext user password in a le, a one-way function h is used to
store a value h(pwd) of each user password pwd. Verication is achieved by comparing the
value h(pwd) of the password with the stored one for a given user identity.
Main attacks on these schemes are
replay of xed passwords,
exhaustive password search,
password-guessing and dictionary attacks.
91
92 CHAPTER 12. IDENTIFICATION AND ENTITY AUTHENTICATION
There are certain defense strategies to prevent or complicate the above attacks:
choice of random or
nearly random passwords, use of special characters (increasing

entropy),
imposing password rules,
slowing down the password mapping,
salting passwords: Extend the password pwd by some random string, the salt salt,
before hashing. Both the hashed password and the salt are stored, h(pwd, salt) :
salt. This does not complicate exhaustive search, but simultaneous dictionary
attacks against a large set of passwords.
12.1.2. One-Time Passwords
One-time passwords are used to protect against eavesdropping and replay of passwords or
phishing (made up word from password shing, alike
phreaking).
12.1.3. Lamports Protocol
The objective of Lamports protocol is that A identies herself to B. The protocol uses a
one-way function H. We denote the k-fold application of H as H
k
(w) = H(H(. . . H(w))).
The rst protocol actions are used to x the initial parameters.
Choose t, the maximal number of identications (t = 100, 1000),
A chooses an initial password w,
A transfers w
0
= H
t
(w),
B initializes his counter for A to i
A
= 1.
The actual protocol actions for session i are:
A computes w
i
= H
ti
(w), transfers to B: (A, i, w
i
),
B checks that i = i
A
and w
i1
= H(w
i
). If both checks succeed, B accepts, sets
i
A
i
A
+ 1 and stores w
i
for the next session.
12.2. Challenge-Response Identication (C-R-Ident.)
We shortly outline the basic ideas of challenge-response protocols.
The claimant A proves her identity to the verier B by demonstrating knowledge of
a secret known only to her without revealing the secret itself.
The demonstration (response) is requested by a time-varying challenge.
The response from one execution does not provide information for a subsequent
identication, as subsequent challenges will dier.
12.2. CHALLENGE-RESPONSE IDENTIFICATION (C-R-IDENT.) 93
12.2.1. Challenge-Response Identication by Symmetric-Key Encryption
In this subsection, techniques from ISO/IEC 9798-2 are described (International Organi-
sation for Standardisation/International Electrotechnical Commission). At rst we clarify
notation:
E
K
: symmetric encryption algorithm with key K,
t
A
: time stamp generated by A,
r
A
, r
B
: random numbers generated by A, B,
A B : A transmits to B the content . . . ,
( , ) : concatenation, : optional elements.
Unilateral authentication, timestamp based
A B : E
K
(t
A
, B)
Upon description, B veries that the timestamp is acceptable. Including the identi-
er B prevents an adversary from reusing the message immediately.
Unilateral authentication using random numbers
A B : r
B
A B : E
K
(r
B
, B)
B decrypts the message received from A and veries r
B
from the rst message. The
inclusion of the identier of B again prevents immediate reuse.
Mutual authentication using random numbers
A B : r
B
A B : E
K
(r
A
, r
B
, B)
A B : E
K
(r
B
, r
A
)
B decrypts the second message, veries the number r
B
that he sent in the rst
message and obtains r
A
. A later decrypts the third message and veries r
A
as well
as r
B
.
12.2.2. Challenge-Response by Public-Key Techniques
The principle of challenge response protocols using public-key techniques is the following.
The claimant A decrypts a challenge that has been encrypted using her public key. We
denote by h a hash function and by P
A
the encryption using As public key. The protocol
actions are carried out as follows.
A B : h(r
B
), B, P
A
(r
B
, B)
A B : r
B
B chooses a random number r
B
and computes the witness h(r
B
) without revealing r
B
.
He then computes the challenge P
A
(r
B
, B). A decrypts P
A
(r
b
, B) to recover r
, B
and
computes h(r
). If h(r
) = h(r
B
) and B
= B she sends r
= r
B
to B.
12.2.3. Challenge-Response Based on Digital Signatures
The principal is that the claimant A signs a challenge digitally. We denote by S
A
the digital
signature given by A. (If the plaintext is recovered by verication, some of the plaintext
elds below are redundant and may be omitted.) Further cert
A
denotes a certicate which
contains the authentic public signature key. (This may be omitted if the verier owns this
key authentically.)
Unilateral with timestamps
A B : cert
A
, t
A
, B, S
A
(t
A
, B)
B veries that the time stamp t
A
is acceptable, the correct identier B is given and
that the signature of (t
A
, B) is correct.
Unilateral with random numbers
A B : r
B
A B : cert
A
, r
A
, B, S
A
(r
A
, r
B
, B)
B veries its own identier and checks the validity of As signature of (r
A
, r
B
, B).
Mutual authentication with random numbers
A B : r
B
A B : cert
A
, r
A
, B, S
A
(r
A
, r
B
, B)
A B : cert
B
, A, S
B
(r
B
, r
A
, A)
B veries as above. Aknows r
A
, r
B
, veries the validity of Bs signature on (r
B
, r
A
, A).
12.3. Kerberos
Kerberos is the three-headed dog guarding the entrance to Hades in Greek mythology. The
protocol Kerberos grew out of a larger project called
Athena at the MIT. Its purpose

is to provide strong levels of authentication and security in key exchange between users
and clients in a network. It uses symmetric encryption and relies on a trusted authority
T. The trusted authority is a central server, the Kerberos authentication server. T knows
the secret key of each client and server. We x the following notation:
E
k
: encryption with key k,
r
A
: random number generated by A,
t
A
: time stamp.
Client A requests access to server B. We give the basic protocol actions for a simplied
version of Kerberos:
1. A T : (A, B, r
A
)
2. T generates a session key k, a validity period l, ticket t = (A, k, l)
T A : E
k
A
(k, r
a
, l, B), E
k
B
(t)
3. A recovers k, r
a
, l, B and checks if r
A
and B are correct.
A generates an authenticator a = (A, t
A
).
A B : E
k
(a), E
k
B
(t)
4. B recovers t = (A, k, l), a = (A, t
A
) and checks that
a) The identier A in the ticket matches the one in a,
12.4. ZERO KNOWLEDGE PROTOCOLS 95
b) t
A
is fresh (within a small interval around Bs time) and that
c) t
A
is in the validity period l.
If all checks pass, As authentication is successful.
Additionally, if B is to be authenticated to A, the following protocol actions are carried
out:
5. B A : E
k
A
(t
A
)
6. A recovers t
A
, checks that t
A
is correct, if yes B is authenticated.
The session key may be used for encrypted communication between A and B.
Remarks
r
A
in the rst step allows authentication of T to A (is T active and alive?).
t
A
in 4. prevents replay attacks of E
k
(a), E
k
B
(t).
Secure and synchronized clocks are needed.
The full version of Kerberos includes another server, the so called ticket-granting
server (cf. [NYHR05]).
12.4. Zero Knowledge Protocols
The disadvantage of simple password protocols is that upon intercepting the owner can
be impersonated. As seen in the previous section, challenge-response protocols improve
on this: A responds to Bs challenge in a time-variant manner, providing information
not reusable by B. However, partial information may be revealed. The purpose of zero-
knowledge protocols is that the prover demonstrates knowledge of a secret while revealing
no information whatsoever. Only a single bit of information is conveyed.
A demonstrative example of such a protocol can be found in [QQQ
+
90]. The basic setting
for the protocol is a cave with a secret door between C and D as depicted in Figure 12.1.
The prover P(eggy) wants to prove her knowledge of the secret door opening mechanism
to a verier V (ince), without letting him know, how the mechanism works.
At rst, Peggy and Vince go to point A. Then Peggy vanishes in the cave and chooses one
of the two passages. When she reaches the
dead end, she tells Vince to proceed to point

B. Then Vince throws a dice to decide, which passage Peggy should come out from and
as she knows the secret opening mechanism she can always do so, no matter which
passage she chose before.
By repeating this protocol n times, the probability, that Peggy always chooses the right
passage goes down to 2
n
and for example after 40 repeated runs of the protocol, Vince
is convinced, that Peggy really knows the secret.
One could now say, that by just observing Peggy entering one passage and then coming
A
B
C D
Figure 12.1.: The tunnel used in the zero knowledge protocol
out of the other one, the proof could be carried out with just one run and without any
error probability. On the other hand, by just videotaping the whole procedure, Vince
could then afterwards convince anyone, that Peggy knows the secret mechanism.
If Vince is videotaping the whole 40-round protocol described above from his perspective,
anyone viewing the tape afterwards would just say
You just cut out the failed attempts

or
You agreed upon a left-right-sequence in advance, hence Peggy doesnt loose control
of who she convinces of her knowledge.
12.4.1. Feige-Fiat-Shamir Identication Protocol
In [FFS87] Feige, Fiat and Shamir a zero-knowledge authentication protocol is described.
It relies on the hardness of computing square roots modulo n, n composite. The objective
of the protocol is that A proves her identity to B.
System parameters
1. A trusted authority TA publishes n = p q, p, q 3 (mod 4)
2. Each entity selects random numbers s
1
, . . . , s
k
1, . . . , n 1 with gcd(s
i
, n) = 1,
computes v
i
= (s
2
i
)
1
mod n and publishes v
1
, . . . , v
k
.
Protocol actions (repeat this actions t times using a dierent r)
1. A chooses a random integer r and computes x = r
2
(mod n)
A B : x (witness)
12.4. ZERO KNOWLEDGE PROTOCOLS 97
2. B chooses random bits b
1
, . . . , b
k
0, 1
B A : (b
1
, . . . , b
k
) (challenge)
3. A computes y = r
k
j=1
s
b
j
j
mod n
A B : y (response)
4. B checks that y
2
k
j=1
v
b
j
j
x (mod n)
Security aspects Oscar wants to impersonate A. Suppose O guesses (b
1
, . . . , b
k
) before
he sends x. Then O chooses a random integer a 1, . . . , n 1 and computes
x = a
2
k
j=1
v
b
j
j
mod n.
In step 3, O sends: O B : a.
B checks in step 4, that a
2
k
j=1
v
b
j
j
x (mod n), and hence accepts As identity. However
the probability, to guess (b
1
, . . . , b
k
) correctly in t trials is
1
2
tk
.
An identication scheme based on the Feige-Fiat-Shamir protocol Let I
A
be an iden-
tication string for A, containing, e.g., As name, birth date, aliation etc. We further
assume that h is some publicly known hash function. Some trusted authority TA computes
values h(I
A
| j) for some numbers j until it nds integers
v
1
= h(I
A
| j
1
), . . . , v
k
= h(I
A
| j
k
),
which are squares modulo n. Let s
1
, . . . , s
k
be the square roots of v
1
, . . . , v
k
respectively.
These can be computed with the knowledge of p and q. Now the parameters I
A
, n, j
1
, . . . , j
k
are made public. The roots s
1
, . . . , s
k
are given to A who keeps them secret. The TA
might discard the roots and the factorization of n now to increase security.
The identication to an ATM, for example, works in the following way.
The ATM reads I
A
from As card.
It downloads n, j
1
, . . . , j
k
from a public database.
The ATM computes the values v
i
= h(I
A
| j
i
) for 1 i k.
A now proves to the ATM her knowledge of s
i
using the FFS protocol.
The above procedure is repeated t times.
12.4.2. Schnorr Identication Protocol
The objective of the protocol is that A proves her identity to B. It relies on the hardness
of computing discrete logarithms.
System parameters
1. A trusted authority TA chooses
primes p and q such that q [ p 1 (p 2
1024
, q 2
160
),
an element Z
p
of order q (e.g., =
(p1)/q
mod p for some primitive
element ).
The TA publishes and signs
p, q,
as well as a security parameter t with 2
t
< q (t 40).
2. Each user A
chooses a private key a, 0 a q 1,
computes v =
a
mod p and
publishes v (TA signs (A, v) after securing the identity of A).
Protocol actions
1. A chooses a random number r 1, . . . , q 1 and computes x =
r
mod p.
A B : x. (witness)
2. B chooses a random number e 1, . . . , 2
t
.
B A : e. (challenge)
3. A checks, whether 1 e 2
t
, otherwise rejects.
A B : y = (ae +r) mod q. (response)
4. B computes z =
y
v
e
mod p and veries z = x.
Correctness, Security and Eciency
The protocol is correct, since
y
v
e

(ae+r) mod q
ae

ae+rlq
ae

r
lq

r
x (mod p)
Suppose an opponent O guesses e prior to sending x, then he chooses some y and
computes x =
y
v
e
. Then he sends x in the rst step and y in the third step of the
protocol. Then
z
y
v
e
x (mod p)
and B accepts Os identity as As.
The protocol is particularly suited for smart cards, as the expensive part of the
computation the fast exponentiation in step 1 can be precomputed oine and
the computations in step 3 are one (relatively cheap) modular multiplication and an
addition.
12.5. THRESHOLD CRYPTOGRAPHY 99
12.5. Threshold Cryptography
Consider the following problem (from [Liu68] or [Sha79]):
Eleven scientists are working on a secret project. They wish to lock up the
documents in a cabinet so that the cabinet can be opened if and only if six
or more of the scientists are present. What is the smallest number of locks
needed? What is the smallest number of keys each scientist must carry?
The answer is that 462 locks are needed and that every scientist has to carry 252 keys.
In [Sha79], an elegant cryptographic scheme is introduced, which solves problems like this
one:
Denition 12.1. Let D be some secret data. If D is divided into n parts D
1
, . . . , D
n
in
a way that
knowledge of any k or more D
i
pieces makes D easily computable and
knowledge of any k 1 or fewer pieces yields no information about D,
we call this a (k, n) threshold scheme.
How can such a scheme be constructed? Given integers k, n and D rst nd a prime
p > D, n. Then pick a random k 1-degree polynomial
q(X) = a
k1
X
k1
+a
k2
X
k2
+ +a
1
X +a
0
F
p
[X]
with a
0
= D and evaluate D
1
= q(1), D
2
= q(2), . . . , D
n
= q(n). Given any k of these D
i
values together with their identifying indices, the polynomial q(x) can be computed using
interpolation which yields D = q(0).
Then again if an attacker knows k 1 of the pieces D
i
, for each value D
F
p
there exists
exactly one k 1-degree polynomial q
F
p
[X] such that q
(0) = D
and q
(i) = D
i
for
the k 1 given pieces. Hence knowledge of k 1 pieces yields no information about D
at all.
13. Elliptic Curves
Several public key cryptosystems are based on the hardness of the DLP or the DHP
respectively, including
the Die-Hellman key exchange (cf. Section 7.1),
the ElGamal public key cryptosystem (cf. Section 8.2) and
the ElGamal signature scheme (cf. Section 11.1).
Basically all these protocols can be carried out in an arbitrary nite cyclic group, the main
requirement is that the DLP is hard in that group.
In 1985, Miller and Koblitz independently suggested the group of points on elliptic curves
over nite elds for use in such cryptosystems [Kob87b], [Mil86].
The main advantage of this group is that keys and parameters can be chosen of much
smaller size for comparable security which makes these groups specially suited for imple-
mentations on restricted hardware such as for example smart cards.
13.1. Foundations and Denitions
Throughout the whole chapter let K denote a eld (for example Q, R, C or a nite eld
F
p
m) and K its algebraic closure. If K = F
p
m for a prime p, we will assume that p > 3.
Denition 13.1. An elliptic curve E/K over the eld K is described by an equation
E : Y
2
= X
3
+aX +b, a, b K
or f(X, Y ) = Y
2
X
3
aX b = 0
with discriminant = 16(4a
3
+ 27b
2
) ,= 0.
For an algebraic extension eld L K we call
E(L) = (x, y) L L [ f(x, y) = 0 O
the set of L-rational points on E, O denotes the point at innity.
Example. a) Given the equation E
1
: Y
2
= X
3
X over R, hence a = 1, b = 0.
Does this equation describe an elliptic curve?
Compute = 16(4(1)) = 64 ,= 0 = E
1
describes an elliptic curve.
b) Given the equation E
2
: Y
2
= X
3
+ 2X + 2 over the eld F
5
, hence a = 2, b = 2.
Same question: Does this equation describe an elliptic curve?
Compute = 16(4 2
3
+ 27 2
2
) 16(2 + 3) 0 (mod 5) = E
2
does not
describe an elliptic curve.
101
102 CHAPTER 13. ELLIPTIC CURVES
1 1 2
1
2
1
2
R
Figure 13.1.: Point addition P +Q = R on E : y
2
= x
3
x over R
Remark. a) E/K means that a, b K.
b) If a, b K, then a, b L for any extension eld L K, hence every curve over K is
also a curve over L.
c) For p = 2, 3 the curve equation becomes slightly more complicated.
d) The condition ,= 0 avoids so called singularities.
13.2. The Group Law
On the set of L-rational points on an elliptic curve E(L) we dene a law of composition.
For curves over R this law has a geometric interpretation as follows (cf. Figure 13.1
and 13.2):
Add the points P
1
= (x
1
, y
1
) and P
2
= (x
2
, y
2
):
1. Draw a line trough P
1
and P
2
(a tangent to the curve, if P
1
= P
2
).
2. Obtain a third intersection

P
3
with the curve (O, if there is no third intersection in
the real image)
3. Reect

P
3
about the x-axis, obtain P
3
= P
1
+P
2
.
This addition can be described in formulas that are applicable for curves over an arbitrary
eld K:
Addition in E(L) Let P = (x, y), P
1
= (x
1
, y
1
) and P
2
= (x
2
, y
2
) E(L) for L K.
(i) P +O = P for all P E(L), hence O is the unit element,
(ii) P + (x, y) = O, hence the inverse of (x, y) is (x, y),
13.2. THE GROUP LAW 103
1 1 2
1
2
1
2
R
Figure 13.2.: Point addition 2P = R on E : Y
2
= X
3
X over R
(iii) If P
1
,= P
2
it holds that P
3
= (x
3
, y
3
) = P
1
+P
2
with
x
3
=
_
y
2
y
1
x
2
x
1
_
2
x
1
x
2
, y
3
=
_
y
2
y
1
x
2
x
1
_
(x
1
x
3
) y
1
,
(iv) If P
1
,= P
1
it holds that 2P
1
= P
1
+P
1
= (x
3
, y
3
) with
x
3
=
_
3x
2
1
+a
2y
1
_
2
2x
1
, y
3
=
_
3x
2
1
+a
2y
1
_
(x
1
x
3
) y
1
.
Theorem 13.2. Together with the law of composition dened above, E(L) is an abelian
group with unit element O.
Proof. P
1
+P
2
E(L): Can be proved by the geometrical denition of addition or by
plugging in the result of the addition into the curve equation.
Unit element: The unit element is O, by denition of the addition.
Inverses: The inverse of (x, y) is (x, y), see denition.
Associativity: The proof of associativity involves some long computations and is left out
here.
Commutativity: Follows from the formulas for addition and doubling.
13.2.1. Group Order #E(F
q
)
If K = F
q
= F
p
k, there exist only nitely many points in E(K). More precisely, the point
O is always in E(K), hence [E(K)[ = #E(K) 1.
For some xed x F
q
(for which we have q possibilities), the equation Y
2
= x
3
+ ax + b
has at most 2 solutions for Y , hence #E(F
q
) 2q + 1.
Write #E(F
q
) = q + 1 t, t Z and [t[ q. The number t is called the trace of E.
Theorem 13.3. (Hasse, 1933) Given an elliptic curve E/F
q
. Then #E(F
q
) = q + 1 t
and [t[ 2
q.
Proof. Cf. [Sil86, Thm. V.1.1].
Remark. It follows that q + 1 2
q #E(F
q
) q + 1 + 2
q.
#E(F
q
) is in the magnitude of q.
Knowledge of #E(F
q
) is important for cryptographic applications.
In order to determine #E(F
q
) use point counting algorithms (Schoof algorithm) or
construct elliptic curves with prescribed order (Complex Multiplication method).
Example. Consider the elliptic curve E : Y
2
= X
3
+ 1/F
5
. Determine all points on E:
a a
2
a
3
a
3
+1
0 0 0 1
1 1 1 2
2 4 3 4
3 4 2 3
4 1 4 0
Hence, E(F
5
) = (0, 1), (0, 4), (2, 2), (2, 3), (4, 0), O = #E(F
5
) = 6 = t = 0.
The point (2, 2) is a generator of E(F
5
):
(2, 2) = (2, 2)
2(2, 2) = (2, 2) + (2, 2) = (0, 4)
3(2, 2) = (2, 2) + (0, 4) = (4, 0)
4(2, 2) = (2, 2) + (4, 0) = (0, 1)
5(2, 2) = (2, 2) + (0, 1) = (2, 3)
6(2, 2) = O.
Hence, E(F
5
)

= Z
6
, cyclic group of order 6.
13.3. The DLP on Elliptic Curves
For the construction of cryptosystems on E(F
p
), we rephrase the discrete logarithm prob-
lem for elliptic curves:
13.3. THE DLP ON ELLIPTIC CURVES 105
ECDLP: Given an elliptic curve E/F
q
and a point P E(F
q
). Let ord(P) = n and let
Q P. Determine a 0, . . . , n 1 such that Q = a P. The integer a is called the
discrete logarithm of Q to the base P.
In order to appraise, how hard the ECDLP is, we will now consider algorithms for com-
puting discrete logarithms.
13.3.1. Algorithms for Solving DLP/ECDLP
1. Generic algorithms, which are applicable to arbitrary nite cyclic groups:
Exhaustive search: Check for all a = 0, . . . , n1, whether Q = aP. The complexity
of this algorithm is obviously in O(n).
Babystep-Giantstep-Algorithm: This algorithm is due to Shanks, it reduces the
computing time for solving the DLP by extensive memory usage:
Let m =

n. There exist q N and r 0, . . . , m1, such that
a = qm+r
= Q = aP = qmP +rP
= QrP = q(mP)
The algorithm computes all values Q rP, 0 r m 1 and stores them
(babysteps). If Q rP = O for some r, then the discrete logarithm has been
computed. Otherwise compute mP and then successively q(mP) and compare
(giantsteps).
The algorithm needs m Babysteps and m Giantsteps in the worst case it also
needs to store m precomputed values, hence both, time and memory complexity
are in O(
n).
Pohlig-Hellman-Method: If the factorization of n is known, then this algorithm can
be used to reduce the DLP in the group of order n to several DLPs in subgroups
of prime order. Let n =
r
i
1
p
e
i
i
be the prime factorization of n.
The Pohlig-Hellmann method rst reduces the DLP to DLPs in subgroups
of order p
e
i
i
and then combines their solutions with the Chinese Remainder
Theorem.
For further reduction, each DLP in a subgroup of order p
e
i
i
can be reduced to
e
i
DLPs in a subgroup of order p
i
.
A detailed description of the algorithm can be found in [MvOV96]. The Pohlig-
Hellman method needs approximately
r
i
1
(e
i
(log n +
p
i
)) + (log n)
2
operations, hence the complexity highly depends on the largest prime divisor
of n. For cryptographic purposes one should choose groups with a large prime
divisor.
Figure 13.3.: -like of the pseudo-random sequence in Pollards -algorithm
Pollards -algorithm: The idea behind Pollards -factoring method is, to nd num-
bers c, d, c
, d
Z, such that
cP +dQ = c
P +d
Q (13.1)
= (c c
)P = (d
d)Q = a(d
d)P (13.2)
= (c c
) (d
d)a (mod n). (13.3)

If gcd(d
d, n) = 1, the discrete logarithm can be computed as a = (cc
)(d
d)
1
(mod n). To nd such numbers c, d, c
and d
, a pseudo-random sequence
(X
i
= c
i
P +d
i
Q)
i0
is generated. On a nite set, a collision will occur in this
sequence, hence the sequence can be visualized like in Figure 13.3. The -like
shape of this visualization lead to the name of the algorithm.
Like for the Babystep-Giantstep algorithm, the time complexity is in O(
n),
whereas the memory complexity is in O(1). For details on this algorithm, see
[MvOV96].
2. Specialized methods, which are applicable only to some very special groups that use
some more structure:
Reduction algorithms for ECDLP (MOV/Frey-R uck attack):
In [MVO91], Menezes, Okamoto and Vanstone introduced a method to reduce
the ECDLP in E(F
q
) to a DLP in F
q
k
, where k is the so called embedding
degree of the elliptic curve (for details, see [CFD
+
06]). This method was further
investigated and generalized by Frey and R uck in [FR94].
This attack against the ECDLP can be avoided by choosing an elliptic curve E
with large embedding degree k.
Index-Calculus: The index-calculus algorithm is similar to sieving methods for fac-
torization of large integers. The idea is, to rstly construct a factorbase con-
taining
smallelements, such that suciently many group elements can be

represented as a product (a sum for additive groups) for elements from this
factorbase.
13.4. CRYPTOGRAPHIC APPLICATIONS 107
Then discrete logarithms are computed for the elements from the factorbase,
which leads to a system of linear equations. This system is solved in the nal
step to compute the DL. A detailed description of the index-calculus algorithm
can be found in [MvOV96].
The index-calculus algorithm is the most ecient algorithm known for com-
putations of DLs in F
p
and F
q
. Its time complexity is subexponential, it
is in
O
_
exp
_
3
_
64
9
(log n)
1
3
(log log n)
2
3
__
.
The index-calculus has not yet been successfully applied to the ECDLP
with subexponential runtime.
13.3.2. Cryptographically Secure Elliptic Curves
For cryptographical purposes one chooses a cyclic group P E(F
q
), such that
P contains at least 2
160
points, hence neither exhaustive search nor Babystep-
Giantstep nor Pollards -attack are feasible,
ord(P) = [P[ has a prime factor of size 2
160
bits, hence also the Pohlig-Hellman
attack is infeasible,
reduction attacks are infeasible (large embedding degree k).
13.3.3. Comparison DLP vs. ECDLP
There exist more ecient algorithms for solving the DLP in F
p
and F
q
than for E(F
q
),
hence elliptic curve cryptography (ECC) has some security advantage. The following
systems are considered to have the same security level:
DL on F
p
RSA ECDL
p : 2432 bits n : 2432 bits n : 224 bits
q : 224 bits (group order)
13.4. Cryptographic Applications
Having selected a cryptographically secure curve, we are able to carry out cryptographic
protocols based on the ECDLP. This section describes three such schemes, several more
are considered in [HMV04].
13.4.1. Die-Hellman Key Exchange
The Die-Hellman key exchange protocol can be transferred to the group E(F
q
) without
much eort, let P E(F
q
) and ord(P) = n. Then protocol actions can be described as
follows:
A chooses a random secret x 2, . . . , n 2 and sends to B: Q
A
= xP,
B chooses a random secret y 2, . . . , n 2 and sends to A: Q
B
= yP,
B receives Q
A
and computes the shared key xyP = yQ
A
,
A receives Q
B
and computes the shared key xyP = xQ
B
.
13.4.2. ElGamal on Elliptic Curves (ECElGamal)
The ECElGamal encryption assumes, that messages can be represented as elements of
the group P. However, the conversion from binary strings to elliptic curve points is not
trivial, for details see [BLS01, 3.2]. Protocol actions of ECElGamal are as follows:
Key generation: A chooses a random number x
A
2, . . . , n 2 (private key) and
computes x
A
P (public key).
Encryption: B wants to encrypt m P using As public key x
A
P:
B chooses random k 2, . . . , n 2 and computes Q = kP,
B computes R = k(x
A
P) +m,
B sends to A: (Q, R).
Decryption: A deciphers using her private key x
A
:
A computes x
A
Q = x
A
kP,
A computes R x
A
Q = kx
A
P +mx
A
kP = m.
13.4.3. The Elliptic Curve Integrated Encryption Scheme (ECIES)
In 2001, Abdalla, Bellare and Rogaway suggested an encryption scheme named DHIES,
which can be carried out in an arbitrary nite cyclic group. This section describes the
elliptic curve variant of this scheme which has been standardized in ANSI X9.63.
ECIES is a variant of the ElGamal cryptosystem. A Die-Hellman shared secret is used
to derive two keys k
1
and k
2
. The key k
1
is used for symmetric encryption, whereas k
2
is used for ciphertext authentication, which protects against chosen-ciphertext attacks, as
an attacker is not even capable of generating valid ciphertexts.
The ECIES scheme involves the following cryptographic primitives:
Key derivation function (KDF): A cryptographic hash function h and a counter i are
used to derive a key of arbitrary length from a given bitstring S via
KDF(S) = H(S, 0) | H(S, 1) | . . . H(S, i) . . .(until enough key bits are generated),
13.4. CRYPTOGRAPHIC APPLICATIONS 109
Symmetric encryption function ENC: Here, any symmetric cipher can be used, for ex-
ample AES,
Corresponding decryption function DEC
Message authentication code MAC: for example HMAC.
Based on these primitives, the system can be described as follows:
System parameters: F
p
, p prime, an elliptic curve E : Y
2
= X
3
+aX+b/F
p
, P E(F
p
),
such that ord(P) = n prime, h =
#E(F
p
)
n
.
Key generation: Each user chooses a random d 2, . . . , n 2 (private key) and com-
putes Q = dP (public key).
Encryption of m 0, 1
1. Choose a random k 2, . . . , n 2,
2. Compute R = kP and Z = hkQ, if Z = O go to step 1,
3. (k
1
, k
2
) KDF(x
Z
, R), where x
Z
is the x-coordinate of Z,
4. Compute C = ENC
k
1
(m) and t = MAC
k
2
(C),
5. Send (R, C, t).
Decryption
1. Assure the validity of R (R E(F
p
) and R ,= O),
2. Compute Z = hdR, check, whether Z ,= O,
3. Derive (k
1
, k
2
) KDF(x
Z
, R),
4. Compute t
= MAC
k
2
(C), check whether t = t
,
5. Compute m = DEC
k
1
(C)
To show that decryption leads to the correct message m, we only have to prove, that Z is
computed correctly:
hdR = hd(kP) = hk(dP) = hkQ.
14. Quantum Cryptography
Quantum cryptography is closely related to quantum computing. There exists an ecient
quantum algorithm for factoring large numbers ready to use once a powerful quantum
computer exists. This would endanger many of the presently used cryptographic protocols
and algorithms.
In parallel quantum cryptography was developed to ensure physically secure transmission,
particularly secure against quantum computing facilities. Quantum cryptography is based
on quantum eects, not easily accessible for non-physicists. Quantum mechanics is a
dicult subject with concepts where everyday experiences are not applicable. We need
particles, like electrons or photons, that we are able to observe. Photons make up light and
are easily observable. They serve best for the purpose of explaining the basic principles
of quantum cryptography.
14.1. A Quantum Experiment
Light is considered an example of an electromagnetic wave. Polarization refers to the
direction in which the wave form is oriented.
Experiment:
Filter 1: Vertically polarizing.
Filter 2: Horizontally polarizing. Eect: No light passes through lter 2.
Filter 3: Diagonally polarizing. Eect: Light is visible on the screen, intensity
1
8
.
Polarization of photons:
Polarization of photons can be described by a 2-dimensional (complex) vector (a, b)
of
length [a[
2
+ [b[
2
= 1. Choose a basis [ , [ (notation taken from physics). An
arbitrary polarization is represented as (a, b)
= a[ + b[ . From the measurement

postulate of quantum mechanics it follows: Given a device for measuring polarization with
associated basis [ , [ , a photon with polarization a[ + b[ is measured as [
with probability [a[
2
and as [ with probability [b[
2
. Furthermore, measurement of the
quantum state will change the state to the result of the measurement.
Explaining the experiment:
Polaroid lters perform a measurement of the polarity of photons. Photons with random
polarization arriving at a lter with basis [ , [ are measured
as [ with probability
1
2
, have polarization [ and pass through,
as [ with probability
1
2
, have polarization [ and are reected or absorbed.
111
112 CHAPTER 14. QUANTUM CRYPTOGRAPHY
Filter 2 (without 3) with basis [ , [ lets none of the photons pass through. Adding
lter 3 with basis
[ , [ =
1
2
([ +[ ),
1
2
([ [ )
has the following eect. Photons pass lter 1 with probability
1
2
having polarization
[ =
1
2
([ + [ ). These pass lter 3 with probability
1
2
having polarization [ .
These pass lter 2 with probability
1
2
having polarization [ . The intensity of light is
1
8
of the original.
14.2. Quantum Key Exchange
Choose an orthonormal basis [0, [1 of a 2-dimensional complex vector space. Each unit
vector is called a quantum bit (qubit), written as
a[0 +b[1, s. t. [a[
2
+[b[
2
= 1.
The probability of observing a qubit in status [0 is [a[
2
. (A qubit corresponds to the
polarization of a photon.)
Now suppose that Alice (A) and Bob (B) want to exchange a sequence of bits. They use
a classical channel and a quantum channel (one which transmits photons without altering
the polarization). Eve has access to both.
System parameters: Alice and Bob use two bases
B
1
= [ , [ (rectilinear, notation: +),
B
2
= [ , [ (diagonal, notation: ).
Encryption: Alice selects randomly B
1
or B
2
. If she chooses B
1
, she encodes
0 as [ (vertically polarized photon),
1 as [ (horizontally polarized photon),
if she chooses B
2
, she encodes
0 as [ (diagonally NE polarized photon),
1 as [ (diagonally NW polarized photon).
14.2. QUANTUM KEY EXCHANGE 113
Decryption:
1. Bob measures the polarization of received photons randomly with B
1
or B
2
, keeps
the results secret.
2. B tells A over the classical channel which bases he has chosen.
3. A tells B which bases are correct.
A and B will agree on approximately half the amount of bits A has sent. These bits are
used as a key for the one-time pad, DES, AES, etc.
Example: Alice chooses bits and random bases and sends qubits as described in the
following table:
Bits: 0 1 1 1 0 0 1 0
Random Bases (polaroids): + + + +
Qubits (photons): [ [ [ [ [ [ [ [
Bob chooses his random bases as follows. Alice and Bob agree on the bit sequence given
in the last row of the table:
Random Bases (polaroids): + + +
Correct are: c c c c c
Bits: - 1 - 1 0 - 1 0
The security of the described protocol is based on physical phenomena. If Eve observes
the photons from Alice, she will change the state, hence introducing additional errors.
Actual implementations work over a distance of 100 km (June 2007) using conventional
ber optical cables.
A. Mathematical Background
A.1. Basics from Algebra and Number Theory
A.1.1. Groups
Denition A.1. A set G together with a law of composition : GG G, (a, b) ab
is called a group if the following holds:
(a b) c = a (b c) for all a, b, c G.
There exists e G with a e = e a = a for all a G.
For each a G there exists a
G such that a a
= a
a = e.
A group with
a b = b a for all a, b G
is called commutative or abelian.
In most cases we will have additive or multiplicative groups. For an additive group we
will write + : GG G, (a, b) a+b for the law of composition and a for the inverse
of a. The unit element of an addititve group will often be denoted as 0. Abelian groups
are usually written additively.
For multiplicative groups we will write : M M, (a, b) a b = ab for the law of
composition and a
1
for the inverse of a. The unit element of a multiplicative group will
often be denoted with 1.
Denition A.2. Let (G, ) be a group. A subset H G is called subgroup of G if (H, )
is a group.
A.1.2. Rings
Denition A.3. A set R together with two laws of composition + : RR R, (a, b)
a +b and : R R R, (a, b) a b is called ring if the following holds:
(R, +) is an abelian group.
(a b) c = a (b c).
There exists u R with a u = u a = a for all a R.
(a +b) c = a c +b c and c (a +b) = c a +c b for all a, b, c R.
115
116 APPENDIX A. MATHEMATICAL BACKGROUND
A ring with
a b = b a for all a, b R
is called commutative.
Denition A.4. Let (R, +, ) be a commutative ring and let I R. I is called ideal of
R if the following holds:
(I, +) is a group.
i r I for all i I and all r R.
A.1.3. Fields
Denition A.5. A set F together with two laws of composition + : RR R, (a, b)
a +b and : R R R, (a, b) a b is called eld if the following holds:
(F, +) is an abelian group.
(F 0, ) is an abelian group.
c (a +b) = ca +cb for all a, b, c F.
A.2. Modular Arithmetic
Denition A.6. Two integers a, b Z are said to be congruent modulo n N, if their
dierence a b is an integer multiple of n. It is denoted as
a b mod n
and is read as a is congruent to b modulo n.
Proposition A.7. For a, b Z and n N the following equivalence holds.
a b mod n
k Z : a = b +kn
Proposition A.8. For a, b Z and n N it holds.
1. a 0 mod n, if and only if n [ a
2. a a mod n
3. a b mod n, if and only if b a mod n
4. if (a b mod n) and (b c mod n) a c mod n
A.2. MODULAR ARITHMETIC 117
Proof. 1.
a 0 mod n
a = a 0 is multiple of n
n [ a
2.
a a = 0 n a a mod n
3.
a b mod n
a b = n k
b a = n (k)
b a mod n
Change roles of a and b for reverse implication.
4.
a b mod n, b c mod n
a = b +n k, c = b +n l
a c = b +n k (b +n l) = n (k l)
a c mod n
Example.
5 12 mod 7
5 14 4 mod 9
Integers modulo n are represented by the set
Z
n
= 0, . . . , n 1.
The representative r Z
n
of an integer a is determined by solving the equation
a = n q +r,
such that r Z
n
is fullled. The solution is unique.
118 APPENDIX A. MATHEMATICAL BACKGROUND
Arithmetic Operations Addition, subtraction and multiplication modulo n are dened
analoguous to integers.
Proposition A.9. If a b mod n and c d mod n holds, it follows
a +c b +d, a c b d, a c b d mod n.
Example. Addition and multiplication tables modulo 6.
+ 0 1 2 3 4 5
0 0 1 2 3 4 5
1 1 2 3 4 5 0
2 2 3 4 5 0 1
3 3 4 5 0 1 2
4 4 5 0 1 2 3
5 5 0 1 2 3 4
0 1 2 3 4 5
0 0 0 0 0 0 0
1 0 1 2 3 4 5
2 0 2 4 0 2 4
3 0 3 0 3 0 3
4 0 4 2 0 4 2
5 0 5 4 3 2 1
Example. Find solution to x + 7 3 mod 17.
x + 7 3 mod 17
x 3 7 mod 17
4 mod 17
13 mod 17
Division Division is more complicated than on rational numbers. In general division by
a mod n is possible if gcd(a, n) = 1.
Example.
2x + 7 3 mod 17
2x 4 mod 17
x 2 mod 17
15 mod 17
Example.
5x + 6 13 mod 11
5x 7 mod 11
What is
7
5
mod 11? We know that 7 +n k 7. With this property we can write
5x 7 18 29 40 . . . mod 11
x
40
5
8 mod 11.
and nd the solution.
A.2. MODULAR ARITHMETIC 119
Proposition A.10. Division by a is equivalent to multiplication with its multiplicative
inverse.
b
a
b a
1
mod n where a a
1
1 mod n
To nd the inverse a
1
mod n we use the extended Euclidean Algorithm (cf. Section 6.3).
Example. Now we solve the division
7
5
mod 11 by nding the multiplicative inverse of 5
and multiplying it with 7, thus solving the division.
5 9 45 1 mod 11
x
7
5
7 5
1
7 9 63 8 mod 11.
Bibliography
[AGP94] W. R. Alford, Andrew Granville, and Carl Pomerance. There are innitely
many Carmichael numbers. Annals of Mathematics, 139:703722, 1994. http:
//cr.yp.to/bib/1994/alford.ps.
[AKS02] M. Agrawal, N. Kayal, and N. Saxena. Primes is in p, 2002. citeseer.ist.
psu.edu/article/agrawal02primes.html.
[BG84] Manuel Blum and Sha Goldwasser. An ecient probabilistic public-key encryp-
tion scheme which hides all partial information. In CRYPTO, pages 289302,
1984. http://link.springer.de/link/service/series/0558/bibs/0196/
01960289.htm.
[BLS01] Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the weil
pairing. In ASIACRYPT 01: Proceedings of the 7th International Conference
on the Theory and Application of Cryptology and Information Security, pages
514532, London, UK, 2001. Springer-Verlag.
[BS93] Eli Biham and Adi Shamir. Dierential cryptanalysis of the data encryption
standard. Springer-Verlag, London, UK, 1993.
[CFD
+
06] Henri Cohen, Gerhard Frey, Christophe Douche, Roberto M. Avanzi, Tanja
Lange, Kim Nguyen, and Frederik Vercauteren. Handbook of Elliptic and Hyper-
elliptic Curve Cryptography. Discrete Mathematics and its Applications. Chap-
man & Hall/CRC, Taylor & Francis Group, Boca Raton, 2006.
[Coc73] C. Cocks. A note on non-secret encryption. Technical report, CESG, November
1973. http://www.cesg.gov.uk/site/publications/media/notense.pdf.
[DH76] Whiteld Die and Martin E. Hellman. New directions in cryptography. IEEE
Transactions on Information Theory, IT-22(6):644654, 1976. citeseer.ist.
psu.edu/diffie76new.html.
[DR] J. Daemen and V. Rijmen. Aes proposal: Rijndael. citeseer.ist.psu.edu/
daemen98aes.html.
[ElG85] Taher ElGamal. A public key cryptosystem and a signature scheme based on
discrete logarithms. In Proceedings of CRYPTO 84 on Advances in cryptology,
pages 1018, New York, NY, USA, 1985. Springer-Verlag New York, Inc.
121
122 Bibliography
[Ell70] James H. Ellis. The possibility of secure non-secret digital encryption. Technical
report, CESG, January 1970. http://www.cesg.gov.uk/site/publications/
media/possnse.pdf.
[FFS87] U. Feige, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. In
STOC 87: Proceedings of the nineteenth annual ACM conference on The-
ory of computing, pages 210217, New York, NY, USA, 1987. ACM Press.
http://doi.acm.org/10.1145/28395.28419.
[FR94] Gerhard Frey and Hans-Georg R uck. A remark concerning m-divisibility and
the discrete logarithm in the divisor class group of curves. Math. Comput.,
62(206):865874, 1994.
[GCC88] Marc Girault, Robert Cohen, and Mireille Campana. A generalized birthday
attack. In EUROCRYPT, pages 129156, 1988. http://dsns.csie.nctu.edu.
tw/research/crypto/HTML/PDF/E88/129.PDF.
[GM84] Sha Goldwasser and Silvio Micali. Probabilistic encryption. J. Comput. Syst.
Sci., 28(2):270299, 1984.
[HMV04] D. Hankerson, A. Menezes, and S. A. Vanstone. Guide to Elliptic Curve Cryp-
tography. Springer, New York, 2004.
[HW79] Godfrey H. Hardy and E. M. Wright. An introduction to the theory of numbers.
Oxford University Press, 5th edition, 1979.
[Ker83] Auguste Kerckhos. La cryptographie militaire. Journal des sciences militaires,
IX:538, January 1883. http://www.petitcolas.net/fabien/kerckhoffs/
crypto_militaire_1.pdf.
[Kob87a] Neal Koblitz. A course in number theory and cryptography. Springer-Verlag
New York, Inc., New York, NY, USA, 1987.
[Kob87b] Neal Koblitz. Elliptic curve cryptosystems. In Mathematics of Computation,
Vol. 48, pages 203209, 1987.
[Koc96] Paul C. Kocher. Timing attacks on implementations of die-hellman, rsa, dss,
and other systems. In CRYPTO 96: Proceedings of the 16th Annual Interna-
tional Cryptology Conference on Advances in Cryptology, pages 104113, Lon-
don, UK, 1996. Springer-Verlag.
[Liu68] Chung L. Liu. Introduction to Combinatorial Mathematics (Computer Science
Series). Mcgraw-Hill College, 1968.
[Mat96] R. Mathar. Informationstheorie. Teubner, Stuttgart, 1996.
[Mil86] Victor S. Miller. Uses of Elliptic Curves in Cryptography. In Proceedings of
CRYPTO 85, LNCS 218, pages 417426. Springer-Verlag, 1986.
Bibliography 123
[MVO91] Alfred Menezes, Scott Vanstone, and Tatsuaki Okamoto. Reducing elliptic curve
logarithms to logarithms in a nite eld. In STOC 91: Proceedings of the
twenty-third annual ACM symposium on Theory of computing, pages 8089,
New York, NY, USA, 1991. ACM Press.
[MvOV96] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Ap-
plied Cryptography. CRC Press, Boca Raton, 1996. http://www.cacr.math.
uwaterloo.ca/hac.
[NBB
+
00] James Nechvatal, Elaine Barker, Lawrence Bassham, William Burr, Morris
Dworkin, James Foti, and Edward Roback. Report on the development of the
advanced encryption standard (AES). Technical report, 2000. citeseer.ist.
psu.edu/nechvatal00report.html.
[NYHR05] C. Neuman, T. Yu, S. Hartman, and K. Raeburn. The Kerberos Network Au-
thentication Service (V5). RFC 4120 (Proposed Standard), July 2005. Updated
by RFC 4537, http://www.ietf.org/rfc/rfc4120.txt.
[Pro] Federal Information Processing. Fips pub 198. http://citeseer.ist.psu.
edu/659514.html.
[QQQ
+
90] Jean-Jacques Quisquater, Myriam Quisquater, Muriel Quisquater, Michael
Quisquater, Louis C. Guillou, Marie Annick Guillou, Gad Guillou, Anna Guil-
lou, Gwenole Guillou, Soazig Guillou, and Thomas A. Berson. How to explain
zero-knowledge protocols to your children. In CRYPTO 89: Proceedings of the
9th Annual International Cryptology Conference on Advances in Cryptology,
pages 628631, London, UK, 1990. Springer-Verlag.
[Rab79] M. O. Rabin. Digitalized signatures and public-key functions as in-
tractable as factorization. Technical report, Cambridge, MA, USA,
1979. http://www.ncstrl.org:8900/ncstrl/servlet/search?formname=
detail&id=oai%3Ancstrlh%3Amitai%3AMIT-LCS%2F%2FMIT%2FLCS%2FTR-212.
[Rab80] M. O. Rabin. Probabilistic algorithms for testing primality. Journal of Number
Theory, 12:128138, 1980.
[RSA78] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital
signatures and public-key cryptosystems. Commun. ACM, 21(2):120126, 1978.
http://doi.acm.org/10.1145/359340.359342.
[Sch96] Bruce Schneier. Applied cryptography: protocols, algorithms, and source code in
C. Wiley, New York, 2nd edition, 1996.
[Sha48] C.E. Shannon. A mathematical theory of communication. Bell System Technical
Journal, 27:379423 and 623656, July and October 1948. http://cm.bell-
labs.com/cm/ms/what/shannonday/shannon1948.pdf.
124 Bibliography
[Sha79] Adi Shamir. How to share a secret. Commun. ACM, 22(11):612613, 1979.
http://doi.acm.org/10.1145/359168.359176.
[Sil86] J. H. Silverman. The Arithmetic of Elliptic Curves. Springer-Verlag, New York,
1986.
[Sin99] Simon Singh. The Code Book, The Science of Secrecy from Ancient Egypt to
Quantum Cryptography. Fourth Estate, London, 1999.
[Sti95] D. R. Stinson. Cryptography. CRC Press, Boca Raton, 1995.
[WT02] Lawrence C. Washington and Wade Trappe. Introduction to Cryptography: With
Coding Theory. Prentice Hall PTR, Upper Saddle River, NJ, USA, 2002.

Cryptography

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cryptography

Загружено:

Авторское право:

Доступные форматы

Lecture Notes

Cryptography is the study of mathematical techniques related to aspects

Key selection: The key is a permutation S

normal arithmetic, but remainder when dividing by 26) on this

Kasiski-Babbage-method. The idea of this method is that

To be or not to be encrypted with the Vigen`ere cipher with

(X) = 1.25, then the redundancy is

: For any M /, C ( there exists a unique K = K(M, C) / such that

remains valid, even if there exists M / with P(

MARS submitted by IBM,

Serpent by Biham et al. and

Twosh constructed by Schneier

Square it was rst successfully

n prime with probability 1, and

n composite with probability not smaller

easy. A much harder

shared between (x y) and

square and multiply algorithm(cf. Algorithm 5), whereas the computation

, m. In this case compute gcd(m m

: a quadratic residue modulo n = a is quadratic residue modulo p and

,= m, such that h(m) = h(m

/ with h(m) = h(m

). In this case, we call h

with h(m) = h(m

) are known, the discrete logarithm

would follow. Now k can be

where | denotes concatenation.

digital ngerprint (message authentication code - MAC).

verier B to establish the identity of the

claimant A, thereby preventing impersonation.

nearly random passwords, use of special characters (increasing

phishing (made up word from password shing, alike

Athena at the MIT. Its purpose

dead end, she tells Vince to proceed to point

You just cut out the failed attempts

d)a (mod n). (13.3)

d, n) = 1, the discrete logarithm can be computed as a = (cc

smallelements, such that suciently many group elements can be

= a[ + b[ . From the measurement

Вам также может понравиться